# Firewalls and firewall endpoints in AWS Network Firewall
A Network Firewall *firewall* defines the behavior of a network firewall, specifies the primary VPC it protects, and determines the Availability Zones where it can be deployed. For each Availability Zone where you want to use the firewall, you must define one subnet to serve as a *firewall endpoint* in the firewall's configuration. These are the primary endpoints for your firewall.
To extend your firewall's capabilities, you can create additional, or secondary, firewall endpoints using *VPC endpoint associations*. These associations let you deploy firewall endpoints in VPCs other than the primary protected VPC and create multiple firewall endpoints within a single Availability Zone in the firewall owner's account or other accounts with which the firewall has been shared. For information about sharing firewalls with other accounts, see [Sharing Network Firewall resources](sharing.md).
You can create VPC endpoint associations for any VPC, but only in Availability Zones where the firewall already has a primary endpoint defined. For details about creating these associations, see [Creating a VPC endpoint association](creating-vpc-endpoint-association.md).
This guide shows you how to create, manage, and troubleshoot firewalls and their endpoints, whether you're working with primary firewall endpoints or VPC endpoint associations.
**Topics**
+ [Considerations for working with firewalls and firewall endpoints](firewall-and-firewall-endpoints-considerations.md)
+ [Firewall settings in AWS Network Firewall](firewall-settings.md)
+ [Understanding the differences between firewall owners and VPC endpoint association owners](firewall-owners-and-vpc-endpoint-association-owners.md)
+ [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md)
+ [Transit gateway-attached firewalls in Network Firewall](tgw-firewall.md)
+ [Managing your firewall state table using flow operations in AWS Network Firewall](firewall-flow-operations.md)
+ [Troubleshooting firewall endpoint failures in AWS Network Firewall](firewall-troubleshooting-endpoint-failures.md)
# Considerations for working with firewalls and firewall endpoints
Before you create, update, or delete a firewall and its endpoints in AWS Network Firewall, review these considerations.
For information on considerations specific to transit gateway-attached firewalls, see [Considerations for transit gateway-attached firewalls](tgw-firewall-considerations.md).
## General firewall considerations
**Account status impacts**
When a firewall owner's account becomes inactive:
+ The firewall enters a `FAIL_CLOSED` state, dropping all traffic through both primary endpoints and VPC endpoint associations
+ No metering occurs for the firewall or its associated endpoints
+ VPC endpoint association owners receive a notification about the firewall account's inactive state
When a VPC endpoint association owner's account becomes inactive:
+ Only that specific VPC endpoint association enters a `FAIL_CLOSED` state
+ The inactive endpoint is excluded from the firewall's consolidated billing
+ Other VPC endpoint associations continue to function normally
For more information on potential error scenarios and how to resolve them, see [Troubleshooting firewall endpoint failures in AWS Network Firewall](firewall-troubleshooting-endpoint-failures.md)
**CloudWatch metrics access**
Access to CloudWatch metrics varies by role:
+ Firewall owners have full access to metrics
+ VPC endpoint association owners have limited access
For details, see [AWS Network Firewall metrics in Amazon CloudWatch](monitoring-cloudwatch.md).
**AWS KMS key considerations**
When there are issues with the AWS KMS key used by the firewall owner:
+ A failure notification appears in the firewall's status
+ A failure notification appears in all associated VPC endpoint association statuses
+ The firewall cannot process traffic until the AWS KMS key is restored to an active state
These failures can occur if the AWS KMS key is revoked, disabled, or deleted. To restore service, the firewall owner must ensure their AWS KMS key is active and properly configured.
For more information on potential error scenarios and how to resolve them, see [Troubleshooting firewall endpoint failures in AWS Network Firewall](firewall-troubleshooting-endpoint-failures.md).
## VPC endpoint association considerations
Before you use VPC endpoint associations in AWS Network Firewall, consider the following:
**Firewall unsharing impacts**
When a firewall owner unshares a firewall:
+ Existing VPC endpoint associations continue to function
+ VPC endpoint association owners can no longer view firewall metadata
+ VPC endpoint association owners can still delete their associations
+ The firewall cannot be deleted until all VPC endpoint associations are removed
For more information about unsharing firewalls, see [Unsharing a shared Network Firewall resource](sharing.md#sharing-unshare).
**TLS inspection limitations**
TLS inspection is not supported for firewalls with VPC endpoint associations.
+ A firewall policy that has TLS inspection enabled cannot be added to a firewall that has VPC endpoint associations.
+ A VPC endpoint association cannot be created from a firewall that has a firewall policy with TLS inspection enabled.
For details, see [Troubleshooting firewall endpoint failures in AWS Network Firewall](firewall-troubleshooting-endpoint-failures.md) and [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).
**IP address considerations**
When managing multiple VPCs:
+ Exercise caution with overlapping IP address ranges
+ Security and network policies apply consistently across overlapping IP ranges in different VPCs
+ Configure the `HOME_NET` setting explicitly in firewall policies to include associated endpoints
For more information on potential error scenarios and how to resolve them, see [Troubleshooting firewall endpoint failures in AWS Network Firewall](firewall-troubleshooting-endpoint-failures.md).
# Firewall settings in AWS Network Firewall
A firewall in Network Firewall has the following configuration settings, which you define when you create or update the firewall. All settings except for the firewall name are mutable.
+ **Name** – The identifier for the firewall. You assign a unique name to every firewall. You can't change the name of a firewall after you create it.
+ **Description** – Optional additional information about the firewall. Fill in any information that might help you remember the purpose of the firewall and how you want to use it. The description is included in firewall lists in the console and through the APIs.
+ **VPC ** – The VPC that's associated with the firewall. This is the VPC that the firewall provides protection for.
+ **Subnets** – The primary public subnets that Network Firewall should use for the firewall. Network Firewall creates a firewall endpoint in each subnet. Specify one subnet for each Availability Zone where you want to use the firewall. Each subnet establishes the availability of the firewall in its Availability Zone.
In addition to these subnets, you can define other endpoints for the firewall in VPC endpoint associations. For more information, about firewall endpoints, see [Firewalls and firewall endpoints in AWS Network Firewall](firewalls.md)
For information about using your configured subnets, see [Configuring your VPC and other components for AWS Network Firewall](vpc-config.md).
+ **Firewall policy** – The firewall policy that's associated with the firewall. The firewall policy provides the monitoring and protection behavior for the firewall. You can use the same firewall policy for more than one firewall. For more information about firewall policies, see [Firewall policies in AWS Network Firewall](firewall-policies.md).
+ **Logging** – The type and location of the logs that Network Firewall provides for the firewall's stateful rules engine. You can enable flow logging for the network traffic that passes through the stateful rules engine. You can enable alert logging for traffic that matches the stateful rules that have an action setting of `Alert`, `Drop`, or `Reject`. You can enable TLS logging for TLS errors and for errors in server certificate revocation checks on outbound traffic. For more information about logging, see [Logging network traffic from AWS Network Firewall](firewall-logging.md).
+ **Encryption options** (Optional) – Network Firewall encrypts and decrypts Network Firewall resources, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys for this. If you want to use your own keys, you can configure customer managed keys from AWS Key Management Service and provide them to Network Firewall. For information about this option, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).
+ **Tags** – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and filter your resources and to track your AWS costs. For more information, see [Tagging AWS Network Firewall resources](tagging.md).
+ **Delete protection** – A Boolean setting that is enabled when you create a firewall, and protects against accidental deletion of the firewall. The setting isn't shown in the console because the firewall deletion process disables this protection. Through the API, you must explicitly disable delete protection before you can delete the firewall.
+ **Traffic analysis mode** (Optional) – An array of strings that let you generate traffic analysis reports on specific types of traffic monitored by your firewall. By default, Traffic analysis mode is not enabled. For more information, see [Reporting on network traffic in Network Firewall](reporting.md).
# Understanding the differences between firewall owners and VPC endpoint association owners
If you create a firewall, you are that firewall's *firewall owner*. If you create a VPC endpoint association for a firewall that is shared with you from another account, you are a *VPC endpoint association owner*. For information about sharing firewalls with other accounts, see [Sharing Network Firewall resources](sharing.md).
The following table shows how the capabilities of firewall owners differ from those of VPC endpoint association owners.
| Capability | Owner |
| --- | --- |
| Creates a firewall and manages the firewall's configuration and settings | Firewall owner |
| Shares a firewall with other accounts to enable creation of VPC endpoint associations to their firewall | Firewall owner |
| Creates VPC endpoint associations for their firewall, within their account | Firewall owner |
| Can list any VPC endpoint association that is associated with their firewall, either from within their account or from another account | Firewall owner |
| Receives a consolidated bill for their firewall's primary firewall endpoint and any additional firewall endpoints | Firewall owner |
| Has visibility into metrics for network traffic passing through their firewall's primary firewall endpoint and any additional firewall endpoints | Firewall owner |
| Can perform flow operations on a firewall's primary firewall endpoint and any additional firewall endpoints | Firewall owner |
| Creates VPC endpoint associations for firewalls shared with them | VPC endpoint association owner |
| Uses the same configuration and settings for their VPC endpoint association as defined in the firewall | VPC endpoint association owner |
| Routes network traffic through the VPC endpoint association they create | VPC endpoint association owner |
For more information, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).
## Example ownership scenarios
Review the following examples to understand how different ownership scenarios may affect firewall and VPC endpoint association management. These scenarios show common use cases but do not provide an exhaustive list of capabilities for either firewall owners or VPC endpoint association owners. For a comprehensive list of capabilities, refer to the previous table.
### Scenario: Single account ownership
In this scenario, one AWS account manages both the firewall and its VPC endpoint associations:
+ The account creates a firewall in a production VPC
+ The same account creates VPC endpoint associations to extend protection to development VPCs
+ As both the firewall owner and VPC endpoint association owner, the account can:
+ Configure all firewall settings
+ Monitor traffic across all endpoints
+ Manage all VPC endpoint associations
### Scenario: Shared ownership across accounts
In this scenario, two separate AWS accounts share firewall resources:
+ Account A (firewall owner):
+ Creates and configures the firewall in its own VPC
+ Shares the firewall with Account B
+ Monitors traffic across all endpoints, including those in Account B
+ Account B (VPC endpoint association owner):
+ Creates VPC endpoint associations in its own VPCs
+ Uses the firewall settings as configured by Account A
+ Cannot modify the firewall settings
# Managing a firewall and firewall endpoints in AWS Network Firewall
This section describes how to create, update, and delete your firewall and its endpoints in AWS Network Firewall.
**How Network Firewall propagates your changes**
When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are normally applied within minutes, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.
This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.
When you add a TLS inspection configuration to an existing firewall, Network Firewall interrupts traffic flows that match the criteria defined by the TLS inspection configuration scope configuration. Network Firewall will begin SSL/TLS decryption and inspection for new connections to the firewall.
Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets.
**Topics**
+ [Creating a firewall in AWS Network Firewall](creating-firewall.md)
+ [Creating a VPC endpoint association in AWS Network Firewall](creating-vpc-endpoint-association.md)
+ [Updating a firewall in AWS Network Firewall](firewall-updating.md)
+ [Deleting a firewall in AWS Network Firewall](deleting-firewall.md)
+ [Deleting a VPC endpoint association in AWS Network Firewall](deleting-vpc-endpoint-association.md)
# Creating a firewall in AWS Network Firewall
You can create a firewall in Network Firewall to start using the protections you've defined in a firewall policy to protect a VPC.
There are two ways you can create a firewall:
+ Create a VPC-attached firewall to protect a VPC
+ Create a transit gateway-attached firewall to enable centralized network inspection
**Note**
To create a transit gateway-attached firewall, you can accept a transit gateway that has been shared with you through AWS RAM or a transit gateway that you own.
**Important**
Before you begin, make sure your VPC has at least one subnet that can host a firewall endpoint. The subnet must be dedicated to Network Firewall use and cannot be used for other resources. For information about subnet requirements and configuration, see [VPC subnets](vpc-config-subnets.md).
**To create a firewall through the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. Choose **Create firewall**.
1. Enter a **Name** to identify this firewall.
**Note**
You can't change the name after you create the firewall.
1. (Optional) Enter a **Description** for the firewall to help you identify it among your other resources.
1. Choose **Next**.
1. Choose your **VPC** from the dropdown list.
**Note**
You can't change the VPC after you create the firewall.
1. For **Firewall subnets**, choose the Availability Zones and subnets that you want to use for your primary firewall endpoints. You can choose up to one subnet for each Availability Zone that your VPC spans, and you must specify a subnet in any Availability Zone where you want to create endpoints using VPC endpoint associations.
The subnets that you specify should be dedicated for Network Firewall firewall use. For more information, see [VPC subnets](vpc-config-subnets.md).
1. Choose **Next**.
1. For **Attachment type**, choose either:
+ **VPC** - Create a firewall in subnets in a VPC
+ **Transit Gateway** - Create a firewall that automatically provisions networking components
1. Based on your attachment type selection:
1. If you selected **VPC**:
1. Choose your **VPC** from the dropdown list.
**Note**
You can't change the VPC after you create the firewall.
1. For **Firewall subnets**, choose the Availability Zones and subnets that you want to use for your firewall endpoints.
1. If you selected **Transit Gateway**:
1. For **Transit Gateway**, choose an existing transit gateway from the dropdown list. The list includes:
+ Any transit gateway attachment in your account (marked as "this account")
+ AWS Transit Gateways shared with you from other accounts (showing the owner account ID)
**Note**
If you need to create a new transit gateway, open the Transit Gateway console in a new tab. After creating the transit gateway, return to this page and refresh the Transit Gateway selector.
1. For **Availability Zones**, select the Availability Zones for your firewall. Consider:
+ To maintain Availability Zone isolation, enable the firewall in every Availability Zone where you have workloads
+ You must select at least one Availability Zone
+ You can modify Availability Zones later, but this may briefly disrupt traffic
1. (Optional) Under **Protection against changes**, optionally enable **Deletion protection** and **Subnet change protection** to protect your firewall against accidental changes.
1. (Optional) Under **Customer managed key**, optionally toggle **Customize encryption settings** to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).
1. Choose **Next**.
(Optional) Under **Traffic analysis mode** optionally select **Enable traffic analysis mode** to enable access to HTTP and HTTPS traffic reporting.
**Note**
Enabling traffic analysis mode does not automatically generate a report when you finish creating your firewall. See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
**Important**
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting.
1. For the **Associate firewall policy** section, choose the firewall policy that you want to associate with the firewall.
1. Choose **Create firewall**.
## Next steps
After you create your firewall, it appears in the **Firewalls** page. As the firewall owner, you have full control over its configuration and management.
Complete these tasks to start using your firewall:
1. Required: Configure your firewall policy to define how traffic is filtered. For information, see [Firewall policies in AWS Network Firewall](firewall-policies.md).
1. Required: Configure your VPC route tables to direct traffic through your firewall endpoints. For information, see [VPC route table configuration for AWS Network Firewall](vpc-config-route-tables.md).
You can also enhance your firewall's capabilities with these optional tasks:
+ Set up logging to monitor network traffic through your firewall. For information, see [Logging network traffic from AWS Network Firewall](firewall-logging.md).
+ Create VPC endpoint associations to extend your firewall's protection to additional VPCs or to create multiple endpoints in a single Availability Zone. For information, see [Creating a VPC endpoint association](creating-vpc-endpoint-association.md).
# Creating a VPC endpoint association in AWS Network Firewall
Create VPC endpoint associations to establish new firewall endpoints in any Availability Zone where the firewall is already being used. The first use of a firewall in an Availability Zone must be defined by the firewall owner in the firewall subnet specifications. For more information about where to specify endpoints, see [Firewalls and firewall endpoints](firewalls.md).
**Important**
VPC endpoint associations are available for firewalls created in Network Firewall, but not transit gateway-attached firewalls created using AWS Transit Gateway.
Before you create a VPC endpoint association, review these requirements:
+ You must own the firewall that you want to use or it must be shared with you. If you don't own the firewall, ask the owner to share it with your account. For information about sharing firewalls, see [Sharing Network Firewall resources](sharing.md).
+ VPC endpoint association can only be created in an Availability Zone where the firewall consists of primary endpoints.
+ For same-account associations:
+ VPC endpoint association can be created within Firewall owner's account - for the same primary VPC within different subnets or different VPCs
+ For cross-account associations:
+ VPC endpoint association can be created from another account for different VPCs, but the firewall must be shared with you
+ The subnet that you want to use in the VPC must be available to host a firewall endpoint. For information, see [VPC subnets](vpc-config-subnets.md).
**To create a VPC endpoint association through the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **VPC endpoint associations**.
1. In the **VPC endpoint associations** page, choose **Create VPC endpoint association**.
1. Choose the firewall that you want to use.
1. Choose the VPC that you want to protect.
1. Choose the Availability Zone and subnet where you want to place the firewall endpoint. The subnet should be dedicated for Network Firewall firewall use. For more information, see [VPC subnets](vpc-config-subnets.md).
**Note**
If you don't see the Availability Zone that you want, check that the firewall itself has a subnet defined there. You can only define VPC endpoint associations in Availability Zones where the firewall is already in use. If you don't own the firewall, ask the owner.
1. (Optional) Expand the **Additional configurations** and provide a description for the association and assign key-value tags to it. For information about tagging your AWS resources, see [Tagging AWS Network Firewall resources](tagging.md)
1. Choose **Create VPC endpoint association**.
## Next steps
After you create a VPC endpoint association, complete these steps:
1. Verify the status of your VPC endpoint association. The status should change from **Provisioning** to **Ready** when the endpoint is available to process traffic.
1. Configure your VPC route tables to direct traffic through the new firewall endpoint. For information, see [VPC route table configuration for AWS Network Firewall](vpc-config-route-tables.md).
1. If needed, update your firewall policy to accommodate the new endpoint. See [Firewall policies in AWS Network Firewall](firewall-policies.md) for details on managing firewall policies.
1. Consider setting up logging for your firewall to track traffic through the new endpoint. For information about logging, see [Logging and monitoring in AWS Network Firewall](logging-monitoring.md).
Remember, changes to your network configuration can affect your security posture. Always verify that your new endpoint is functioning as expected and that it complies with your organization's security policies.
# Updating a firewall in AWS Network Firewall
To make changes to your firewall settings through the console, use the following procedure.
After you create a firewall, you can update the firewall settings or view reports on firewall traffic from within the console. To view your firewall settings and reports through the console, use the following procedure:
**Warning**
If your firewall update changes your stateful rule evaluation order type, you will experience an interruption of in-flight traffic through the firewall for a few seconds during the reset. This is the only type of update that has this effect. For more information about stateful rule evaluation order types, see [Managing evaluation order for Suricata compatible rules in AWS Network Firewall](suricata-rule-evaluation-order.md).
Updating a firewall affects all endpoints for the firewall, both those defined inside the firewall and those defined as VPC endpoint associations.
**To update a firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. Choose the tab **Firewall details**, then, in each section where you want to make changes, choose **Edit** and follow the console guidance to make your changes.
+ In the **Details** section, you can change the firewall description. The name is fixed after creation.
+ In the **Traffic analysis mode** section, you can enable or disable traffic analysis, which lets you generate reports on HTTP or HTTPS traffic from the last 30 days. Enabling and disabling **Traffic analysis mode** does not impact traffic flow or automatically trigger report creation.
**Important**
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting.
+ In the **Associated policy and VPC** section, you can add and remove Availability Zones and subnets and you can associate a different firewall policy. The VPC is fixed after creation.
+ In the **Logging** section, you can configure logging for alert, flow, and TLS logs. For information about your logging options and costs, see [Logging network traffic from AWS Network Firewall](firewall-logging.md).
+ In the **Firewall tags** section, you can change the tags assigned to the AWS firewall resource. For information about tagging, see [Tagging AWS Network Firewall resources](tagging.md).
1. Choose the **Monitoring** tab, then follow the console guidance to use the available reporting capabilities.
+ In the **Firewall requests** section, you can view a chart of dropped, passed, and received stateless and stateful packets monitored by the firewall within a customizable time frame.
+ In the **Reports** section, if you have enabled traffic analysis mode, you can generate an HTTP or HTTPS report or view the status of reports you already created. For information on these reports, see See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
**Note**
Enabling traffic analysis mode does not automatically generate a report when you finish creating your firewall. See [Reporting on network traffic in Network Firewall](reporting.md) for more information on report generation.
1. Choose **Save** to save your changes and return to the firewall's detail page.
# Deleting a firewall in AWS Network Firewall
The procedure for deleting a firewall has the following prerequisites:
+ You must disassociate the firewall from any other AWS resources, including VPC endpoint associations. If your firewall has a VPC endpoint association you don't own, ask the owner to delete that VPC endpoint association.
+ You must remove the firewall from any VPC route tables that mention it.
+ You must disable the firewall's logging configuration. For information about updating a firewall's logging configuration, see [Updating a AWS Network Firewall logging configuration](firewall-update-logging-configuration.md).
**To delete a firewall in the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, select the firewall that you want to delete.
1. Choose **Delete**, and then confirm your request.
Your firewall is removed from the list in the **Firewalls** page. The removal can take a few minutes to complete.
# Deleting a VPC endpoint association in AWS Network Firewall
Before you delete a Network Firewall VPC endpoint association, remove its firewall endpoint from any VPC route tables that use it. For information about managing route tables for your VPC, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon Virtual Private Cloud User Guide*.
**To delete a VPC endpoint association**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **VPC endpoint associations**.
1. In the **VPC endpoint associations** page, select the VPC endpoint association that you want to delete.
1. Choose **Delete**, and then confirm your request.
Your VPC endpoint association is removed from the list in the **VPC endpoint association** page. The removal can take a few minutes to complete.
# Transit gateway-attached firewalls in Network Firewall
The AWS Network Firewall integration with AWS Transit Gateway lets you create and centrally manage firewall protective coverage without needing to provision multiple firewall endpoints.
Firewall owners can attach a Network Firewall directly to a transit gateway as a transit gateway attachment either within their own account or shared from a different account. For more information, see [Create a transit gateway-attached firewall](create-tgw-firewall.md).
## Key concepts
Review the following concepts before you continue. Note that these definitions are in the context of the Network Firewall integration with AWS Transit Gateway.
**Transit Gateway**
A transit gateway works across AWS accounts, and you can use AWS RAM to share your transit gateway with other accounts. When a transit gateway is shared, recipients can use it to create a *transit gateway attachment*.
**Transit gateway-attached firewall**
A type of transit gateway attachment. When a Network Firewall account owner uses a shared transit gateway to provision a firewall, they bypass the networking configuration required by the standard firewall setup. The firewall a Network Firewall provisions using a shared transit gateway is a *transit gateway-attached firewall*.
**AWS RAM sharing account**
The sharing account contains the resource that is shared. In the context of the Network Firewall integration with AWS Transit Gateway, the AWS RAM sharing account that shares the transit gateway is referred to as the *transit gateway owner.*
**Ownership scenarios**
Similar to working with firewalls and firewall endpoints created in Network Firewall, different account ownership scenarios impact how you work with a transit gateway-attached firewall.
+ The transit gateway owner is the account that owns the transit gateway
+ The firewall owner is the account that creates and manages the transit gateway-attached firewall
**Note**
These roles can be in the same account or in different accounts.
**Topics**
+ [Key concepts](#tgw-firewall-concepts)
+ [Considerations for transit gateway-attached firewalls](tgw-firewall-considerations.md)
+ [Create a transit gateway-attached firewall from a shared transit gateway](create-tgw-firewall.md)
+ [Working with transit gateway-attached firewalls](working-with-tgw-firewalls.md)
# Considerations for transit gateway-attached firewalls
Before you create or use a transit gateway-attached firewall, consider the following points. For considerations that apply to all firewalls, see [Considerations for working with firewalls and firewall endpoints](firewall-and-firewall-endpoints-considerations.md).
+ A transit gateway-attached firewall involves multiple AWS services: AWS Network Firewall, AWS Transit Gateway, and AWS RAM.
+ If the Transit Gateway owner and Network Firewall owner are different AWS accounts:
+ The Network Firewall account owner depends on the Transit Gateway owner to share the transit gateway.
+ Either account can delete the transit gateway-attached firewall.
+ The Transit Gateway owner has limited visibility into firewall details.
+ The Transit Gateway owner cannot delete the shared transit gateway until they remove all transit gateways attachments, including related transit gateway-attached firewalls.
+ When you use stateful domain list rule groups or other stateful rule group types that reference `HOME_NET` or `EXTERNAL_NET`, you must configure these rule groups to use values for `HOME_NET` and `EXTERNAL_NET` that are different from the default values used in the firewall policy. For more information, see [Limitations and caveats for stateful rules in AWS Network FirewallLimitations and caveats](suricata-limitations-caveats.md).
+ A transit gateway-attached firewall must be configured in the same Availability Zone where the shared transit gateway is already enabled.
+ Traffic for transit gateway-attached firewalls must be routed through transit gateway route tables, not VPC route tables.
+ Appliance mode is always enabled on transit gateway-attached firewalls.
# Create a transit gateway-attached firewall from a shared transit gateway
The process to create a transit gateway-attached firewall involves multiple AWS services, including AWS Network Firewall, AWS Transit Gateway, and AWS RAM. In scenarios where the Transit Gateway owner and Network Firewall owner are different AWS accounts, the Network Firewall account owner depends on the Transit Gateway owner to share a transit gateway with them.
**Note**
*This* guide focuses on the Network Firewall portions of the larger cross-service process and assumes you are an AWS Network Firewall account owner who has a transit gateway shared with them. For information on creating a transit gateway-attached firewall without needing to share between different AWS accounts, see [Creating a firewall in AWS Network Firewall](creating-firewall.md).
## Use multiple AWS services to create a transit gateway-attached firewall (overview)
The following procedure is an overview of all the service-specific processes needed to create transit gateway-attached firewall. For more detailed instructions specific to Transit Gateway and AWS RAM, see the related service documentation linked in each respective step.
1. The transit gateway owner shares their transit gateway through AWS RAM with the firewall owner's account. For more information, see [Shareable AWS resources](https://docs.aws.amazon.com/ram/latest/userguide/shareable.html#shareable-vpc) in the *AWS RAM User Guide*.
1. The firewall owner accepts the AWS RAM share invitation for the transit gateway. For more information, see [Access shared resources](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html) in the *AWS RAM User Guide*.
1. The firewall owner creates a firewall using the shared transit gateway, which creates a pending transit gateway attachment. For detailed steps, see [Accept a shared transit gateway to create a transit gateway-attached firewall](#accept-shared-tgw-firewall).
**Note**
This step in the process is covered in this guide.
1. The transit gateway owner accepts the transit gateway attachment (unless auto-accept attachments is enabled on their transit gateway). For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
## Accept a shared transit gateway to create a transit gateway-attached firewall
**Prerequisites**
Verify that the Transit Gateway account owner has already created a transit gateway and shared it with your account using AWS RAM.
For information on other things to consider before you create a transit gateway-attached firewall, see [Considerations for transit gateway-attached firewalls](tgw-firewall-considerations.md)
**To accept a shared transit gateway in Network Firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. From the **Actions** menu, choose **Accept the transit gateway attachment**.
1. Review the following details in the dialog box:
+ The firewall name
+ Status (whether it has been accepted by this account)
+ Account ID of the firewall owner
+ Transit Gateway ID
1. Choose **Accept**.
1. Review the firewall configuration details, then choose **Create firewall**.
**After you accept a shared transit gateway attachment**
The steps in this guide are only part of a larger process that involves AWS Network Firewall, AWS Transit Gateway, and AWS RAM. When a you complete the previous steps within the Network Firewall console, the transit gateway-attached firewall enters a `Pending` state. You can proceed to [Working with transit gateway-attached firewalls](working-with-tgw-firewalls.md) to begin configuring your transit gateway-attached firewall while you wait for the transit gateway owner to accept or reject it.
# Working with transit gateway-attached firewalls
After you accept a shared transit gateway attachment, the firewall you create appears in the **Firewalls** page of the Network Firewall console with one of the following statuses, depending on what state it is in:
+ `Pending` — the process to create a transit gateway-attached firewall has been initiated. The transit gateway owner must next accept the firewall from the transit gateway console. For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
The transit gateway-attached firewall cannot monitor network traffic while pending, but the firewall owner can adjust the firewall's configuration using the steps in but [Updating a firewall in AWS Network Firewall](firewall-updating.md).
+ `Rejected` — the transit gateway owner has rejected the transit gateway-attached firewall. For more information, see [Accept a shared attachment using Amazon VPC Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/acccept-tgw-attach.html) in the *Amazon VPC Developer Guide*.
+ `Ready` — the transit gateway-attached firewall has finished provisioning and has begun monitoring traffic according to the network configuration set in transit gateway.
As the transit gateway-attached firewall owner, you maintain control of the firewall configuration, while the transit gateway owner controls the routing of your traffic through the firewall through the networking configuration managed in the AWS Transit Gateway console and CLI.
# Managing your firewall state table using flow operations in AWS Network Firewall
This section describes how to use flow operations to perform actions in your firewall's state table.
Flow operations are asynchronous actions that you execute within a firewall that you own. To track and manage traffic that's logged within the firewall's state table. You can run flow capture operations or flow flush operations. Flow capture operations collect information about active flows, and flow flush operations remove specified flows from the firewall.
Before you start using flow operations, review the following key definitions.
+ **Flows** – Network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort with other traffic. Flows that are processed by the firewall are tracked in the firewall state table and are visible in flow logs.
+ **Firewall state table** – Table where Network Firewall tracks and maintains information about network traffic flows. The firewall state table only tracks flows that are processed by stateful rules. When traffic matches the criteria in a stateful rule, the firewall creates a flow entry in the firewall state table. These entries persist until they are either removed using a flow flush operation, naturally terminate, or time out due to inactivity. You can manage the firewall state table using specific operations. This is also known as the firewall table or state table.
For information, see [Flow operations in your firewall](#firewall-flow-operations).
+ **Flow filter** – Parameters that you use when defining the scope of a flow operation. You can use up to 20 filters in a single operation.
**Topics**
+ [Caveats and considerations for flow operations](#flow-operations-caveats)
+ [Capturing traffic in your firewall's state table](flow-operations-capture.md)
+ [Using flow flush operations in Network Firewall](flow-operations-flush.md)
+ [Viewing flow operations in Network Firewall](flow-operations-view.md)
**Note**
This section and others that describe Suricata-based concepts are not intended to replace or duplicate information from the Suricata documentation. For more Suricata-specific information, see the [Suricata documentation](https://docs.suricata.io/en/suricata-7.0.8/).
## Caveats and considerations for flow operations
Before using flow operations, consider the following:
+ When you initiate a flow flush operation, the firewall treats impacted flows according to your stream exception policy configuration. Review your stream exception policy settings before performing a flush operation. For information, see [Stream exception policy options](stream-exception-policy.md).
+ If you execute flow capture operations using broad filter criteria (like wide IP ranges), you might encounter operation limits. To stay within these limits, use more specific flow filters, such as narrower IP ranges or additional criteria like ports and protocols.
+ When you flush flows, subsequent matching traffic is considered a new flow and evaluated against current firewall rule configurations.
+ Only firewall owners can perform flow operations. VPC endpoint association owners who do not also own the main firewall cannot perform flow operations on that firewall. For more information, see [Firewalls and firewall endpoints in AWS Network Firewall](firewalls.md).
+ Flow operations execute asynchronously across your firewall infrastructure. In the context of flow flush operations, this means flows might be marked for removal at slightly different times as the operation propagates.
+ Each flow operation (capture or flush) runs on one individual firewall at a time. If you need to perform flow operations across multiple firewalls in your network configuration, you must run separate operations for each firewall.
**Note**
We throttle flush and capture operations to one concurrent request per firewall per Availability Zone (AZ). For example, if a firewall is deployed to two Availability Zones in the same Region, you can issue two concurrent flow or capture requests for that firewall (one request per Availability Zone). This throttling helps maintain optimal performance and prevents overloading the system.
For information on how Network Firewall propagates changes you make, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).
# Capturing traffic in your firewall's state table
With flow capture operations in Network Firewall, you can view information about active traffic flows that are tracked in your firewall's state table. These operations provide a time-boxed view of network traffic, showing both new and established flows that match your specified criteria. Captured data makes it easier to analyze current network traffic patterns, verify the effectiveness of your firewall rules, identify unexpected traffic flows, and troubleshoot network connectivity issues.
You can the progress and history of flow captures in your firewall's **Details** page.
**Tip**
When using flow capture operations with broad filter criteria (like wide IP ranges), you might encounter operation limits. To stay within these limits, use more specific flow filters, such as narrower IP ranges or additional criteria like ports and protocols.
**To capture traffic flows from a firewall state table**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. Choose the name of the firewall where you want to perform the flow operation.
1. In the **Firewall operations** section, choose **Configure flow capture**.
1. Configure the scope of the flow operation, depending on your firewall configuration:
+ To perform the operation in the primary firewall endpoint only, define the VpcEndpointId.
+ To perform the operation in a VPC endpoint association only, define the VPC endpoint association ARN.
+ To perform the operation in the primary firewall endpoint and all associated VPC endpoints, define the Availability Zone of the primary firewall endpoint.
1. Optionally, configure additional flow filters to further customize the scope of the operation:
+ **Minimum age** - To exclude recently established flows, set this value to filter out flows that are newer than the specified age, in seconds
+ **Source** - A single IP address, a range of IPs (CIDR), or port
+ **Destination** - A single IP address, a range of IPs (CIDR), or port
+ **Protocol number** - The assigned internet protocol number (IANA) for each supported protocol. If left empty, the operation captures flows with any supported protocol (TCP, UDP, ICMP, ICMPv6, SCTP).
1. Review your configured filters in the **Filters** section.
1. Choose **Start capture**, then confirm that you want to begin the operation.
1. Return to the **Details** page to monitor the operation status.
For information on viewing the status and history of your operations, see [Viewing flow operations in Network Firewall](flow-operations-view.md).
# Using flow flush operations in Network Firewall
Flow flush operations give you greater control over how your firewall rules are applied to network traffic. While Network Firewall automatically applies changes to stateful rules for new traffic flows, existing flows continue to be processed according to the rules that were in place when those flows began.
By flushing specific flows from your firewall's state table, you can force the firewall to treat subsequent matching traffic as new flows, ensuring they are evaluated against your current rule configurations. This is useful when you update rule groups or firewall policies and want these changes to take effect for existing network traffic. For example, if you modify a rule group to drop specific types of traffic, you can use a flow flush operation to ensure that all matching traffic—both new and existing—is evaluated against your updated rules.
The flow flush operation consists of two phases:
1. Initial flow identification phase - Marks specified flows for timeout in the state table
1. Flow pruning phase - Removes marked flows according to the firewall's built-in pruning mechanism
## Flushing traffic from your firewall's state table
**Important**
Flush operations cannot be cancelled once started. If you haven't already reviewed the stream exception policy in your firewall, go do that now. When you flush flows from the firewall state table, the rules engine will treat traffic according to the firewall's stream exception policy. For information, see [Stream exception policy options](stream-exception-policy.md).
**Tip**
If your firewall is shared with other AWS accounts through VPC endpoint associations, take care to notify VPC endpoint association owners before you flush flows from the primary firewall.
**To flush traffic flows from a firewall state table**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. Choose the name of the firewall where you want to perform the flow operation.
1. In the **Firewall operations** section, choose **Configure flow flush**.
1. Configure the scope of the flow operation, depending on your firewall configuration:
+ To perform the operation in the primary firewall endpoint only, define the VpcEndpointId.
+ To perform the operation in a VPC endpoint association only, define the VPC endpoint association ARN.
+ To perform the operation in the primary firewall endpoint and all associated VPC endpoints, define the Availability Zone of the primary firewall endpoint.
1. Optionally, configure additional flow filters to further customize the scope of the operation:
+ **Minimum age** - To exclude recently established flows, set this value to filter out flows that are newer than the specified age, in seconds
+ **Source** - A single IP address, a range of IPs (CIDR), or port
+ **Destination** - A single IP address, a range of IPs (CIDR), or port
+ **Protocol number** - The assigned internet protocol number (IANA) for each supported protocol. If left empty, the operation captures flows with any supported protocol (TCP, UDP, ICMP, ICMPv6, SCTP).
1. Review your configured filters in the **Filters** section.
1. Choose **Start flush**, then confirm that you want to begin the operation.
1. Return to the firewall **Details** page to monitor the operation status.
For information on viewing the status and history of your operations, see [Viewing flow operations in Network Firewall](flow-operations-view.md).
# Viewing flow operations in Network Firewall
You can view the history of operations in your firewall and monitor the progress of ongoing operations. Network Firewall only stores capture and flush operations performed within the last 12 hours.
**To view operation history**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. Choose the name of the firewall that you want to view.
1. Navigate to the **Firewall operation history** section.
1. Review the status of operations:
**In progress**
Operations that have not yet completed.
**Completed**
Operations that successfully completed.
**Failed**
Operations that could not be completed.
**Completed with errors**
Operations that experienced a timeout issue or an issue that prevented completion across all hosts. These operations may have flows missing from the results.
1. Choose any completed operation to view the summary of results.
# Troubleshooting firewall endpoint failures in AWS Network Firewall
If Network Firewall can't create or delete a firewall endpoint in a subnet because of an error, the service displays a *status message* describing how to resolve the issue. Use the status message in the console, API, or CLI to troubleshoot the issues causing the endpoint failure. Depending on the issue, it can take as many as 15 minutes for Network Firewall to display the status message.
------
#### [ Console ]
**To view the status message for an endpoint defined as a firewall subnet**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewall details** tab, in the **Firewall endpoints** section, hover over the **Firewall endpoint status** to view the status message.
**To view the status message for an endpoint defined as a VPC endpoint association**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **VPC endpoint associations**.
1. In the **VPC endpoint associations** page, hover over the status that you're interested in to view the status message.
------
#### [ API ]
For an endpoint defined as a firewall subnet, the [DescribeFirewall](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeFirewall.html) response includes status messages for the endpoints.
For an endpoint defined as a VPC endpoint association, the [DescribeVpcEndpointAssociation](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_DescribeVpcEndpointAssociation.html) response includes a status message for the endpoint.
------
#### [ CLI ]
For an endpoint defined as a firewall subnet, the [describe-firewall](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/describe-firewall.html) response includes status messages for the endpoints.
For an endpoint defined as a VPC endpoint association, the [describe-vpc-endpoint-association](https://docs.aws.amazon.com/cli/latest/reference/network-firewall/describe-vpc-endpoint-association.html) response includes a status message for the endpoint.
------
The following table lists the possible causes of the error or failure as indicated in the Network Firewall console or the `StatusMessage` parameter in the API or CLI. Errors indicate an error that you can take actions to fix. Failures indicate a non-recoverable failed state. For errors, after you apply any of the remedial steps, Network Firewall automatically attempts to complete creation or deletion of the firewall or VPC endpoint association.
| Firewall endpoint status | Reason for error or failure | Cause | Solution |
| --- | --- | --- | --- |
| Error | AWS Key Management Service encryption key misconfigured | The specified AWS KMS encryption key either doesn't exist in the Region, or you aren't allowed to access it. This can be the result of someone deleting the key or revoking your access to it. The firewall associated with this key is now in a failed state, and traffic directed to the firewall is being dropped. | Either update the encryption configuration with a new key or delete the firewall. For information about using encryption keys with Network Firewall, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md). |
| Error | AWS Key Management Service encryption key deletion scheduled | The firewall contains an AWS KMS encryption key that's scheduled for deletion. When the key is deleted, the firewall will enter a failed state and drop all traffic directed to it. | To prevent the firewall from entering a failed state, either update the firewall's encryption configuration with a valid key, cancel deletion and re-enable the key, or delete the firewall. For information about using encryption keys with Network Firewall, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md). |
| Error | Generic fail closed | The associated firewall is in a failed state, and traffic directed to the firewall is being dropped. | Delete the firewall. For information, see [Deleting a firewall in AWS Network Firewall](deleting-firewall.md). |
| Error | Inactive account fail closed | The associated firewall's account is in inactive state. This causes the firewall to enter a failed state and drop all traffic that's directed to it. | Contact AWS support and reopen the account, then delete the firewall, and then close the account again. For information about deleting a firewall, see see [Deleting a firewall in AWS Network Firewall](deleting-firewall.md). |
| Error | Endpoint tag removed | Network Firewall can't access the firewall endpoint because the `AWSNetworkFirewallManaged:true` tag was removed from VPC endpoint. Network Firewall automatically adds this tag to the endpoint when the service creates the firewall. | Add the `AWSNetworkFirewallManaged:true` tag back to the firewall endpoint, and try your request again. For information about using tags, see [Tagging AWS Network Firewall resources](tagging.md). |
| Error | Invalid chain of trust | The firewall's TLS inspection configuration contains a certificate with an invalid chain of trust. | Replace the certificate with a valid certificate. |
| Error | Invalid root certificate | The firewall's TLS inspection configuration contains a certificate that Network Firewall can't validate. Network Firewall can't validate cross-signed root certificates, such as Let's Encrypt certificates. AWS Certificate Manager public certificates are cross-signed but can be used for TLS inspection. For more information, see [Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall](tls-inspection-certificate-requirements.md). | Replace the certificate with a valid certificate. |
| Error | Invalid chain certificate | The firewall's TLS inspection configuration contains a certificate with an invalid chain, which doesn't support certificate body. For more information, see [Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall](tls-inspection-certificate-requirements.md). | Replace the certificate with a valid certificate. |
| Error | Invalid certificate authority (CA) certificate | The firewall's TLS inspection configuration contains a certificate that isn't usable as a CA certificate. For more information, see [Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall](tls-inspection-certificate-requirements.md). | Replace the certificate with a CA certificate. |
| Error | IP limit exceeded | You've reached the quota of IPv4 or IPv6 CIDR blocks per VPC. For information about CIDR block limits per VPC, see [Amazon VPC quotas](https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html) in the *Amazon VPC User Guide*. | Either choose a different VPC or reduce the number of CIDR blocks associated with the VPC, and try again. For information about disassociating CIDR blocks, see [Work with VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html) in the *Amazon VPC User Guide*. |
| Error | Subnet deleted | The specified subnet has been deleted. Your firewalls and VPC endpoint associations must refer to existing subnets. | Enter an existing subnet and try again. |
| Error | Subnet invalid IP address type | Network Firewall can't create an endpoint using the specified subnet because the subnet is associated with an IPv6 CIDR block that was removed. | Do one of the following actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html) |
| Failed | VPC deleted | The firewall or VPC endpoint association use a VPC that's been deleted. | Delete the VPC endpoint associations or firewall that are using the VPC. Then as needed, create a new firewall and VPC endpoint associations using an existing VPC. For information, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md). |
| Error | VPCE limit exceeded | You've reached the quota of VPC endpoints that you can have per VPC. For information about the limits, see [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html) in the *AWS PrivateLink Guide*. | Either delete the VPC endpoint association, or delete the firewall and then create the endpoint or VPC endpoint association using another VPC. For information about creating or deleting endpoints, see [Work with VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html) in the Amazon VPC User Guide. |
| Error | VPCE reference exists | You can't delete the firewall or VPC endpoint association because the specified firewall endpoint is associated to a VPC route table. | Remove the firewall endpoint from your route table and try again. For information about route tables, see [Configure route tables ](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon VPC User Guide*. |
| Error | AWS Transit Gateway not found | The specified transit gateway does not exist or has been deleted. | Verify that the transit gateway exists and that you have the necessary permissions to access it. |
| Error | AWS Transit Gateway attachment failure | Failed to create the firewall attachment on the transit gateway. | Check the transit gateway configuration and ensure that it can accept new attachments. Verify your permissions and try again. |