# Managing a firewall and firewall endpoints in AWS Network Firewall
This section describes how to create, update, and delete your firewall and its endpoints in AWS Network Firewall.
**How Network Firewall propagates your changes**
When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are normally applied within minutes, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.
This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.
When you add a TLS inspection configuration to an existing firewall, Network Firewall interrupts traffic flows that match the criteria defined by the TLS inspection configuration scope configuration. Network Firewall will begin SSL/TLS decryption and inspection for new connections to the firewall.
Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets.
**Topics**
+ [Creating a firewall in AWS Network Firewall](creating-firewall.md)
+ [Creating a VPC endpoint association in AWS Network Firewall](creating-vpc-endpoint-association.md)
+ [Updating a firewall in AWS Network Firewall](firewall-updating.md)
+ [Deleting a firewall in AWS Network Firewall](deleting-firewall.md)
+ [Deleting a VPC endpoint association in AWS Network Firewall](deleting-vpc-endpoint-association.md)
# Creating a firewall in AWS Network Firewall
You can create a firewall in Network Firewall to start using the protections you've defined in a firewall policy to protect a VPC.
There are two ways you can create a firewall:
+ Create a VPC-attached firewall to protect a VPC
+ Create a transit gateway-attached firewall to enable centralized network inspection
**Note**
To create a transit gateway-attached firewall, you can accept a transit gateway that has been shared with you through AWS RAM or a transit gateway that you own.
**Important**
Before you begin, make sure your VPC has at least one subnet that can host a firewall endpoint. The subnet must be dedicated to Network Firewall use and cannot be used for other resources. For information about subnet requirements and configuration, see [VPC subnets](vpc-config-subnets.md).
**To create a firewall through the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. Choose **Create firewall**.
1. Enter a **Name** to identify this firewall.
**Note**
You can't change the name after you create the firewall.
1. (Optional) Enter a **Description** for the firewall to help you identify it among your other resources.
1. Choose **Next**.
1. Choose your **VPC** from the dropdown list.
**Note**
You can't change the VPC after you create the firewall.
1. For **Firewall subnets**, choose the Availability Zones and subnets that you want to use for your primary firewall endpoints. You can choose up to one subnet for each Availability Zone that your VPC spans, and you must specify a subnet in any Availability Zone where you want to create endpoints using VPC endpoint associations.
The subnets that you specify should be dedicated for Network Firewall firewall use. For more information, see [VPC subnets](vpc-config-subnets.md).
1. Choose **Next**.
1. For **Attachment type**, choose either:
+ **VPC** - Create a firewall in subnets in a VPC
+ **Transit Gateway** - Create a firewall that automatically provisions networking components
1. Based on your attachment type selection:
1. If you selected **VPC**:
1. Choose your **VPC** from the dropdown list.
**Note**
You can't change the VPC after you create the firewall.
1. For **Firewall subnets**, choose the Availability Zones and subnets that you want to use for your firewall endpoints.
1. If you selected **Transit Gateway**:
1. For **Transit Gateway**, choose an existing transit gateway from the dropdown list. The list includes:
+ Any transit gateway attachment in your account (marked as "this account")
+ AWS Transit Gateways shared with you from other accounts (showing the owner account ID)
**Note**
If you need to create a new transit gateway, open the Transit Gateway console in a new tab. After creating the transit gateway, return to this page and refresh the Transit Gateway selector.
1. For **Availability Zones**, select the Availability Zones for your firewall. Consider:
+ To maintain Availability Zone isolation, enable the firewall in every Availability Zone where you have workloads
+ You must select at least one Availability Zone
+ You can modify Availability Zones later, but this may briefly disrupt traffic
1. (Optional) Under **Protection against changes**, optionally enable **Deletion protection** and **Subnet change protection** to protect your firewall against accidental changes.
1. (Optional) Under **Customer managed key**, optionally toggle **Customize encryption settings** to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).
1. Choose **Next**.
(Optional) Under **Traffic analysis mode** optionally select **Enable traffic analysis mode** to enable access to HTTP and HTTPS traffic reporting.
**Note**
Enabling traffic analysis mode does not automatically generate a report when you finish creating your firewall. See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
**Important**
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting.
1. For the **Associate firewall policy** section, choose the firewall policy that you want to associate with the firewall.
1. Choose **Create firewall**.
## Next steps
After you create your firewall, it appears in the **Firewalls** page. As the firewall owner, you have full control over its configuration and management.
Complete these tasks to start using your firewall:
1. Required: Configure your firewall policy to define how traffic is filtered. For information, see [Firewall policies in AWS Network Firewall](firewall-policies.md).
1. Required: Configure your VPC route tables to direct traffic through your firewall endpoints. For information, see [VPC route table configuration for AWS Network Firewall](vpc-config-route-tables.md).
You can also enhance your firewall's capabilities with these optional tasks:
+ Set up logging to monitor network traffic through your firewall. For information, see [Logging network traffic from AWS Network Firewall](firewall-logging.md).
+ Create VPC endpoint associations to extend your firewall's protection to additional VPCs or to create multiple endpoints in a single Availability Zone. For information, see [Creating a VPC endpoint association](creating-vpc-endpoint-association.md).
# Creating a VPC endpoint association in AWS Network Firewall
Create VPC endpoint associations to establish new firewall endpoints in any Availability Zone where the firewall is already being used. The first use of a firewall in an Availability Zone must be defined by the firewall owner in the firewall subnet specifications. For more information about where to specify endpoints, see [Firewalls and firewall endpoints](firewalls.md).
**Important**
VPC endpoint associations are available for firewalls created in Network Firewall, but not transit gateway-attached firewalls created using AWS Transit Gateway.
Before you create a VPC endpoint association, review these requirements:
+ You must own the firewall that you want to use or it must be shared with you. If you don't own the firewall, ask the owner to share it with your account. For information about sharing firewalls, see [Sharing Network Firewall resources](sharing.md).
+ VPC endpoint association can only be created in an Availability Zone where the firewall consists of primary endpoints.
+ For same-account associations:
+ VPC endpoint association can be created within Firewall owner's account - for the same primary VPC within different subnets or different VPCs
+ For cross-account associations:
+ VPC endpoint association can be created from another account for different VPCs, but the firewall must be shared with you
+ The subnet that you want to use in the VPC must be available to host a firewall endpoint. For information, see [VPC subnets](vpc-config-subnets.md).
**To create a VPC endpoint association through the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **VPC endpoint associations**.
1. In the **VPC endpoint associations** page, choose **Create VPC endpoint association**.
1. Choose the firewall that you want to use.
1. Choose the VPC that you want to protect.
1. Choose the Availability Zone and subnet where you want to place the firewall endpoint. The subnet should be dedicated for Network Firewall firewall use. For more information, see [VPC subnets](vpc-config-subnets.md).
**Note**
If you don't see the Availability Zone that you want, check that the firewall itself has a subnet defined there. You can only define VPC endpoint associations in Availability Zones where the firewall is already in use. If you don't own the firewall, ask the owner.
1. (Optional) Expand the **Additional configurations** and provide a description for the association and assign key-value tags to it. For information about tagging your AWS resources, see [Tagging AWS Network Firewall resources](tagging.md)
1. Choose **Create VPC endpoint association**.
## Next steps
After you create a VPC endpoint association, complete these steps:
1. Verify the status of your VPC endpoint association. The status should change from **Provisioning** to **Ready** when the endpoint is available to process traffic.
1. Configure your VPC route tables to direct traffic through the new firewall endpoint. For information, see [VPC route table configuration for AWS Network Firewall](vpc-config-route-tables.md).
1. If needed, update your firewall policy to accommodate the new endpoint. See [Firewall policies in AWS Network Firewall](firewall-policies.md) for details on managing firewall policies.
1. Consider setting up logging for your firewall to track traffic through the new endpoint. For information about logging, see [Logging and monitoring in AWS Network Firewall](logging-monitoring.md).
Remember, changes to your network configuration can affect your security posture. Always verify that your new endpoint is functioning as expected and that it complies with your organization's security policies.
# Updating a firewall in AWS Network Firewall
To make changes to your firewall settings through the console, use the following procedure.
After you create a firewall, you can update the firewall settings or view reports on firewall traffic from within the console. To view your firewall settings and reports through the console, use the following procedure:
**Warning**
If your firewall update changes your stateful rule evaluation order type, you will experience an interruption of in-flight traffic through the firewall for a few seconds during the reset. This is the only type of update that has this effect. For more information about stateful rule evaluation order types, see [Managing evaluation order for Suricata compatible rules in AWS Network Firewall](suricata-rule-evaluation-order.md).
Updating a firewall affects all endpoints for the firewall, both those defined inside the firewall and those defined as VPC endpoint associations.
**To update a firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. Choose the tab **Firewall details**, then, in each section where you want to make changes, choose **Edit** and follow the console guidance to make your changes.
+ In the **Details** section, you can change the firewall description. The name is fixed after creation.
+ In the **Traffic analysis mode** section, you can enable or disable traffic analysis, which lets you generate reports on HTTP or HTTPS traffic from the last 30 days. Enabling and disabling **Traffic analysis mode** does not impact traffic flow or automatically trigger report creation.
**Important**
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting.
+ In the **Associated policy and VPC** section, you can add and remove Availability Zones and subnets and you can associate a different firewall policy. The VPC is fixed after creation.
+ In the **Logging** section, you can configure logging for alert, flow, and TLS logs. For information about your logging options and costs, see [Logging network traffic from AWS Network Firewall](firewall-logging.md).
+ In the **Firewall tags** section, you can change the tags assigned to the AWS firewall resource. For information about tagging, see [Tagging AWS Network Firewall resources](tagging.md).
1. Choose the **Monitoring** tab, then follow the console guidance to use the available reporting capabilities.
+ In the **Firewall requests** section, you can view a chart of dropped, passed, and received stateless and stateful packets monitored by the firewall within a customizable time frame.
+ In the **Reports** section, if you have enabled traffic analysis mode, you can generate an HTTP or HTTPS report or view the status of reports you already created. For information on these reports, see See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
**Note**
Enabling traffic analysis mode does not automatically generate a report when you finish creating your firewall. See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
1. Choose **Save** to save your changes and return to the firewall's detail page.
# Deleting a firewall in AWS Network Firewall
The procedure for deleting a firewall has the following prerequisites:
+ You must disassociate the firewall from any other AWS resources, including VPC endpoint associations. If your firewall has a VPC endpoint association you don't own, ask the owner to delete that VPC endpoint association.
+ You must remove the firewall from any VPC route tables that mention it.
+ You must disable the firewall's logging configuration. For information about updating a firewall's logging configuration, see [Updating a AWS Network Firewall logging configuration](firewall-update-logging-configuration.md).
**To delete a firewall in the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, select the firewall that you want to delete.
1. Choose **Delete**, and then confirm your request.
Your firewall is removed from the list in the **Firewalls** page. The removal can take a few minutes to complete.
# Deleting a VPC endpoint association in AWS Network Firewall
Before you delete a Network Firewall VPC endpoint association, remove its firewall endpoint from any VPC route tables that use it. For information about managing route tables for your VPC, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon Virtual Private Cloud User Guide*.
**To delete a VPC endpoint association**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **VPC endpoint associations**.
1. In the **VPC endpoint associations** page, select the VPC endpoint association that you want to delete.
1. Choose **Delete**, and then confirm your request.
Your VPC endpoint association is removed from the list in the **VPC endpoint association** page. The removal can take a few minutes to complete.