Posted On: May 4, 2023

Today, AWS announces support for Reject action in stream exception policy of AWS Network Firewall to improve performance of latency-sensitive applications. AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs.

Previously, you could configure Drop or Continue actions in the stream exception policy to specify how Network Firewall should handle traffic when a network connection breaks midstream. The Drop action means Network Firewall drops all subsequent traffic in the session going through the firewall. This means the TCP session remains open until the TCP timeout expires. The Continue action means Network Firewall rebalances the traffic among the available backend firewall hosts and continues to apply firewall rules without session initialization context. This impacts the behavior of the rules that depend on TCP session context. Starting today, you can configure Reject action in stream exception policy to handle midstream TCP connections. When a backend firewall host detects a midstream TCP connection, it drops the packet and sends a TCP reset (RST) to notify the sender and receiver that the TCP connection has been closed. The sender can then immediately establish a new TCP connection without waiting for a TCP timeout.

This feature is available in all AWS Regions where AWS Network Firewall is available. There is no additional charge for using this new AWS Network Firewall feature. To get started with AWS Network Firewall, please see the AWS Network Firewall product page and service documentation.