Posted On: Jan 9, 2023
AWS Network Firewall now supports reject as a firewall rule action so you can improve performance of latency-sensitive applications and improve internal security operations.
AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic. Before today, you could configure stateful rules to pass, drop, or alert on network traffic. When drop action is configured, the firewall drops the traffic, but sends no response to the source sender. This impacts TCP connections because sessions remain open until the time to live threshold is exceeded. If you want to understand why packets were dropped then you need to spend additional time and effort to complete a traceroute test or review your logs. Starting today, AWS Network Firewall will allow you to configure a stateful rule and apply a reject action when the rule is matched for TCP traffic. The firewall drops the packet and sends a TCP reset (RST) to notify the sender that the TCP connection failed. You can apply the reject action to firewall rules using the default action order, or you can set an exact order using the strict rule ordering method.
There is no additional charge for using this new AWS Network Firewall feature, but you are responsible for any additional logging costs. This feature is available in all commercial AWS Regions and AWS GovCloud (US) Regions where AWS Network Firewall is available. AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs. The service automatically scales with network traffic volume to provide high-availability protections without the need to set up or maintain the underlying infrastructure. To get started with AWS Network Firewall, please see the AWS Network Firewall product page and service documentation.