AWS Network Firewall Documentation

AWS Network Firewall is a managed service that enables you to deploy essential network protections for your Amazon Virtual Private Clouds (VPCs). The service scales with your network traffic. AWS Network Firewall’s rules engine lets you define firewall rules that give you control over network traffic, such as blocking outbound Server Message Block (SMB) requests. You can also import rules you’ve already written in certain open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

Stateful firewall

The stateful firewall takes into account the context of traffic flows for more granular policy enforcement, such as dropping packets based on the source address or protocol type. The match criteria for this stateful firewall is the same as AWS Network Firewall’s stateless inspection capabilities, with the addition of a match setting for traffic direction. AWS Network Firewall’s rule engine gives you the ability to write firewall rules based on source/destination IP, source/destination port, and protocol. AWS Network Firewall filters common protocols without any port specification, not just TCP/UDP traffic filtering.

Web filtering

AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).

Intrusion prevention

AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection with network and application layer protections against vulnerability exploits and brute force attacks. Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies.

Alert and flow logs

Alert logs are rule specific and provide additional data regarding the rule that was triggered and the particular session that triggered it. Flow logs provide state information about traffic flows that pass through the firewall, with one line per direction. AWS Network Firewall flow logs can be natively stored in Amazon S3, Amazon Kinesis, and Amazon CloudWatch.

Central management and visibility

AWS Firewall Manager is a security management service that enables you to centrally deploy and manage security policies across your applications, VPCs, and accounts in AWS Organizations. AWS Firewall Manager can organize AWS Network Firewall rules groups into policies that you can deploy across your infrastructure to help you scale enforcement in a consistent, hierarchical manner. AWS Firewall Manager provides an aggregated view of policy compliance across accounts and automates the remediation process. As new accounts, resources, and network components are created, Firewall Manager can bring them into compliance by enforcing a common set of firewall policies.

Rule management and customization

AWS Network Firewall enables customers to run Suricata-compatible rules sourced internally, from in-house custom rule development or externally, from third party vendors or open source platforms.

Diverse ecosystem of partner integrations

AWS Network Firewall is designed to integrate with AWS Partners with central third-party policy orchestration and exporting logs to analytics solutions. AWS Network Firewall supports various managed threat intelligence feeds for customers who prefer to leverage their existing managed rule providers. AWS Network Firewall can plug into various third-party policy orchestration solutions for centrally managing hybrid or multiple firewall vendor architectures. For more visibility, AWS Network Firewall logs and security event information can be sent to third-party analytics solutions, such as Security Information and Event Management (SIEM) software. 

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at, or other agreement between you and AWS governing your use of AWS’s services.