AWS::NetworkFirewall::Firewall
Use the AWS::NetworkFirewall::Firewall to provide stateful, managed, network firewall and intrusion detection and prevention filtering for your VPCs in Amazon VPC.
The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::Firewall", "Properties" : { "DeleteProtection" :Boolean, "Description" :String, "FirewallName" :String, "FirewallPolicyArn" :String, "FirewallPolicyChangeProtection" :Boolean, "SubnetChangeProtection" :Boolean, "SubnetMappings" :[ SubnetMapping, ... ], "Tags" :[ Tag, ... ], "VpcId" :String} }
YAML
Type: AWS::NetworkFirewall::Firewall Properties: DeleteProtection:BooleanDescription:StringFirewallName:StringFirewallPolicyArn:StringFirewallPolicyChangeProtection:BooleanSubnetChangeProtection:BooleanSubnetMappings:- SubnetMappingTags:- TagVpcId:String
Properties
DeleteProtection-
A flag indicating whether it is possible to delete the firewall. A setting of
TRUEindicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag toTRUE.Required: No
Type: Boolean
Update requires: No interruption
Description-
A description of the firewall.
Required: No
Type: String
Pattern:
^.*$Maximum:
512Update requires: No interruption
FirewallName-
The descriptive name of the firewall. You can't change the name of a firewall after you create it.
Required: Yes
Type: String
Pattern:
^[a-zA-Z0-9-]+$Minimum:
1Maximum:
128Update requires: Replacement
FirewallPolicyArn-
The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
Required: Yes
Type: String
Pattern:
^arn:aws.*$Minimum:
1Maximum:
256Update requires: No interruption
FirewallPolicyChangeProtection-
A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to
TRUE.Required: No
Type: Boolean
Update requires: No interruption
SubnetChangeProtection-
A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to
TRUE.Required: No
Type: Boolean
Update requires: No interruption
SubnetMappings-
The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.
Required: Yes
Type: Array of SubnetMapping
Minimum:
1Update requires: No interruption
-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: Array of Tag
Update requires: No interruption
VpcId-
The unique identifier of the VPC where the firewall is in use. You can't change the VPC of a firewall after you create the firewall.
Required: Yes
Type: String
Pattern:
^vpc-[0-9a-f]+$Minimum:
1Maximum:
128Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
EndpointIds-
The unique IDs of the firewall endpoints for all of the subnets that you attached to the firewall. The subnets are not listed in any particular order. For example:
["us-west-2c:vpce-111122223333", "us-west-2a:vpce-987654321098", "us-west-2b:vpce-012345678901"]. FirewallArn-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::Firewall.
FirewallId-
The name of the AWS::NetworkFirewall::Firewall resource.
Examples
Create a firewall
The following shows example firewall specifications.
JSON
"SampleFirewall": { "Type": "AWS::NetworkFirewall::Firewall", "Properties": { "FirewallName": "SampleFirewallName", "FirewallPolicyArn": { "Ref": "SampleFirewallPolicy" }, "VpcId": { "Ref": "SampleVPC" }, "SubnetMappings": [ { "SubnetId": { "Ref": "SampleSubnet1" } }, { "SubnetId": { "Ref": "SampleSubnet2" } } ], "Description": "Firewall description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] }
YAML
SampleFirewall: Type: AWS::NetworkFirewall::Firewall Properties: FirewallName: SampleFirewallName FirewallPolicyArn: !Ref SampleFirewallPolicy VpcId: !Ref SampleVPC SubnetMappings: - SubnetId: !Ref SampleSubnet1 - SubnetId: !Ref SampleSubnet2 Description: Firewall description goes here Tags: - Key: Foo Value: Bar
