Skip to main content

Overview

AWS Network Firewall is a resilient, scalable, fully managed service that makes it easy to deploy advanced network protections for all of your Amazon Virtual Private Clouds (VPCs). The AWS Network Firewall flexible rules engine provides Layer 7 firewall capabilities and deep packet inspection, while active threat defense applies AWS managed rules that are designed to block evasive command-and-control channels, malicious URLs, and other threat vectors. Since AWS Network Firewall is a fully managed service, you don't have to worry about deploying and managing any infrastructure, handling version upgrades, maintenance or patching.

   

Comprehensive traffic protection

Open all

 

Deploy stateful inspection with deep packet inspection (DPI) to evaluate traffic flows based on source address, protocol type, and traffic direction. The flexible rule engine supports configuration of rules based on source/destination IP, ports, and protocols, with support for common protocol filtering without port specification requirements.

 

Filter inbound and outbound web traffic using HTTP header inspection for unencrypted flows and Server Name Indication (SNI) filtering for encrypted traffic. Apply domain-based controls using Fully Qualified Domain Name (FQDN) filtering to manage access to specific websites and services.

Implement Transport Layer Security (TLS) inspection to analyze encrypted traffic flows within your VPC. Native TLS inspection occurs within the firewall instance, maintaining data privacy while enabling traffic analysis for both inbound and outbound communications.

Apply location-based traffic controls using IP-to-country mapping. Create rules to allow or deny traffic based on geographic regions to help meet data sovereignty requirements and implement regional access policies.

Cloud perimeter security

Open all

Configure bi-directional traffic controls at VPC boundaries. Apply granular rules for incoming traffic and monitor outbound communications to help meet compliance requirements and maintain data governance.

Apply domain-based access controls for both encrypted and unencrypted traffic. Use FQDN filtering for standard traffic and SNI capabilities for encrypted flows to manage access to specific services independent of IP addressing.

Active threat detection and blocking

Open all

 

Apply network and application layer controls using signature-based detection. The IPS evaluates traffic patterns against known signatures, analyzing byte sequences and packet characteristics to identify potential security events. AWS Network Firewall includes AWS-managed threat signatures and malicious domain name rule groups at no additional cost.

 

Implement automated controls using Amazon global threat intelligence. AWS-managed rules identify and respond to active threats using the same threat intelligence that powers Amazon GuardDuty, helping to maintain consistent security controls across your infrastructure.

Configure custom rules to implement your specific security requirements or leverage pre-built rules from AWS. Suricata-compatibility enables you to import IDS/IPS signatures from the active open-source security community while maintaining flexibility to update and customize controls as needed.

VPC-to-VPC traffic security

Open all

Use the simple Transit Gateway integration to inspect East-West traffic between VPCs without the need to manage a separate inspection VPCs. Implement centralized security policies to monitor and control internal network communications while reducing architectural complexity.

 

Apply uniform security controls across VPC endpoints using a single firewall instance. Maintain consistent policy enforcement for inter-VPC traffic flows while centralizing security management.g.

 

Scalability and high availability

Open all

 

Ensure consistent protection with built-in redundancy and the AWS Network Firewall Service Level Agreement. Experience seamless scaling per Availability Zone as traffic patterns change. The system automatically adjusts capacity to maintain performance while optimizing costs, eliminating manual scaling operations.

 

Maximize efficiency by connecting multiple VPC endpoints to a single firewall instance. Reduce operational overhead and costs through consolidated security management across multiple VPCs. This flexible architecture supports diverse deployment patterns while ensuring consistent policy enforcement throughout your AWS environment.

Observability and management

Open all

Monitor network activity through detailed alert and flow logging with CloudWatch. Track rule matches and session data through alert logs, while flow logs provide bidirectional traffic state information. Store logs in Amazon S3, Kinesis, or CloudWatch for integration with existing analysis workflows.

Streamline security operations by centrally managing policies across your entire AWS organization. Deploy consistent rules and controls across multiple accounts, applications, and VPCs through hierarchical policy management. The automated compliance monitoring and remediation capabilities help maintain security standards as your infrastructure grows, while providing clear visibility into policy adherence across your organization.

Integration and partner network

Open all

Implement network security controls using native integration with AWS services. Use Transit Gateway for a centralized architecture, VPC for traffic routing, IAM for access management, and CloudWatch for operational monitoring.

Enhance security capabilities through a rich network of partner solutions and integrations. Connect with leading security partners for policy orchestration and threat intelligence feeds, while maintaining existing security investments. Export security events and log data to your preferred SIEM solution, enabling comprehensive security analysis across your entire infrastructure. See a full list of AWS Network Firewall partners