# Configuring your VPC and other components for AWS Network Firewall
This section describes the changes that you must make in your VPC configuration and other components to use AWS Network Firewall. For information about managing your Amazon Virtual Private Cloud VPC, see the [Amazon Virtual Private Cloud User Guide](https://docs.aws.amazon.com/vpc/latest/userguide).
For examples of architectures that are supported by Network Firewall, see [Architecture and routing examples](architectures.md).
**Unsupported architectures**
The following lists architectures and traffic types that Network Firewall doesn't support:
+ VPC peering.
+ Inspection of AWS Global Accelerator traffic.
+ Inspection of AmazonProvidedDNS traffic for Amazon EC2.
**Topics**
+ [VPC subnet configuration for AWS Network Firewall](vpc-config-subnets.md)
+ [VPC route table configuration for AWS Network Firewall](vpc-config-route-tables.md)
+ [Transit gateway attachment configuration for AWS Network Firewall](vpc-config-tgw-multi-az.md)
# VPC subnet configuration for AWS Network Firewall
When you associate a firewall to your VPC, you must provide a subnet for each Availability Zone where you want to place a firewall endpoint to filter traffic. A common configuration is to have a firewall endpoint in each zone where you have customer subnets that you want to protect, but you can also have a firewall endpoint filter traffic from multiple zones.
Additionally, you can use VPC endpoint associations to define multiple endpoints in an Availability Zone and to use the firewall for VPCs other than the one specified in the firewall. For any subnet where you use a firewall, the VPC subnet management described here is the same.
**Note**
If you plan to use your firewall for multiple VPCs, the additional VPCs can only have firewall endpoints defined in Availability Zones where the firewall already has endpoints defined for the primary VPC.
When you create the firewall or define a VPC endpoint association, Network Firewall adds a firewall endpoint to each of the subnets that you've specified. Each firewall endpoint uses the firewall's associated firewall policy configuration to filter traffic that you route through it.
To prepare a VPC for your Network Firewall firewall, in each Availability Zone where you want a firewall endpoint, create the subnets that you will use for the endpoints. Each subnet must have at least one IP address available. Your can't change the IP address type after you create the subnet.
Network Firewall supports up to 100 Gbps of network traffic per Availability Zone. The 100 Gbps bandwidth is shared across all associated VPC endpoints. If you require more traffic bandwidth, you can split your resources into subnets and create a Network Firewall firewall in each subnet.
**Note**
Reserve these firewall subnets for the exclusive use of Network Firewall. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't place other applications in the firewall endpoint subnets.
For information about managing subnets in your VPC, see [VPCs and subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) in the *Amazon Virtual Private Cloud User Guide*.
When you create your Network Firewall firewall, you must provide at least one zone and subnet for the firewall configuration. You can add and remove subnets after you create a firewall. You can manage VPC endpoint associations for any firewall that you've created or that has been shared with you.
# VPC route table configuration for AWS Network Firewall
After you create your firewall, you reroute your VPC network traffic through the firewall endpoints so they can start filtering traffic. Perform the following steps:
1. Review the route table configurations in your VPC Availability Zones for the subnets that you want to protect and for any location that sends traffic to the subnets or receives traffic from them.
1. Determine which traffic you want the firewall to filter and insert your firewall endpoints into the traffic flow. Network Firewall supports up to 100 Gbps of network traffic per Availability Zone. The 100 Gbps bandwidth is shared across all associated VPC endpoints. Update the route tables for both directions of traffic flow, if you want to filter incoming and outgoing traffic.
For example, suppose you wanted to filter traffic that's currently routed between a customer subnet and an internet gateway. You would update your route table configuration as follows to insert a firewall endpoint into the traffic flow:
1. Change the customer subnet route table so that it directs internet-bound traffic to the firewall endpoint.
1. Change the internet gateway route table so that it directs traffic that's bound for the customer subnet to the firewall endpoint.
1. Create a route table for the firewall endpoint so that it directs internet-bound traffic to the internet gateway and directs traffic that's bound for any destination inside the VPC to the destination specification `local`.
In this way, the firewall endpoint sits between the customer subnet and the internet gateway and can filter all incoming and outgoing traffic for the customer subnet.
For an overview of common Network Firewall architectures, with example route table configurations, see [Architecture and routing examples](architectures.md).
For information about managing route tables for your VPC, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon Virtual Private Cloud User Guide*.
# Transit gateway attachment configuration for AWS Network Firewall
This section applies to the use of Network Firewall with a transit gateway in multiple Availability Zones where the firewall endpoints might reside in different Availability Zones than the subnets whose traffic they're filtering.
**Note**
To use this configuration, you must enable appliance mode on the transit gateway VPC attachment for any VPC where Network Firewall endpoints reside.
A Network Firewall endpoint is a stateful network appliance. Enabling appliance mode ensures that the transit gateway continues to use the same Availability Zone for the VPC attachment over the lifetime of a flow of traffic between source and destination.
For information about VPC transit gateways, see the guide [Amazon Virtual Private Cloud Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html).
For information about appliance mode and how to enable it in your attachments, see [Availability Zones](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html#tgw-az-overview) and [Example: Appliance in a shared services VPC](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html).