AWS Network Firewall features

Deploy stateful inspection with deep packet inspection (DPI) to evaluate traffic flows based on source address, protocol type, and traffic direction. The flexible rule engine supports configuration of rules based on source/destination IP, ports, and protocols, with support for common protocol filtering without port specification requirements.

Filter inbound and outbound web traffic using HTTP header inspection for unencrypted flows and Server Name Indication (SNI) filtering for encrypted traffic. Apply domain-based controls using Fully Qualified Domain Name (FQDN) filtering to manage access to specific websites and services.

Implement Transport Layer Security (TLS) inspection to analyze encrypted traffic flows within your VPC. Native TLS inspection occurs within the firewall instance, maintaining data privacy while enabling traffic analysis for both inbound and outbound communications.

Apply location-based traffic controls using IP-to-country mapping. Create rules to allow or deny traffic based on geographic regions to help meet data sovereignty requirements and implement regional access policies.

Configure bi-directional traffic controls at VPC boundaries. Apply granular rules for incoming traffic and monitor outbound communications to help meet compliance requirements and maintain data governance.

Apply domain-based access controls for both encrypted and unencrypted traffic. Use FQDN filtering for standard traffic and SNI capabilities for encrypted flows to manage access to specific services independent of IP addressing.

Apply network and application layer controls using signature-based detection. The IPS evaluates traffic patterns against known signatures, analyzing byte sequences and packet characteristics to identify potential security events. AWS Network Firewall includes AWS-managed threat signatures and malicious domain name rule groups at no additional cost.

Implement automated controls using Amazon global threat intelligence. AWS-managed rules identify and respond to active threats using the same threat intelligence that powers Amazon GuardDuty, helping to maintain consistent security controls across your infrastructure.

Configure custom rules to implement your specific security requirements or leverage pre-built rules from AWS. Suricata-compatibility enables you to import IDS/IPS signatures from the active open-source security community while maintaining flexibility to update and customize controls as needed.

Use the simple Transit Gateway integration to inspect East-West traffic between VPCs without the need to manage a separate inspection VPCs. Implement centralized security policies to monitor and control internal network communications while reducing architectural complexity.

Apply uniform security controls across VPC endpoints using a single firewall instance. Maintain consistent policy enforcement for inter-VPC traffic flows while centralizing security management.g.

Ensure consistent protection with built-in redundancy and the AWS Network Firewall Service Level Agreement. Experience seamless scaling per Availability Zone as traffic patterns change. The system automatically adjusts capacity to maintain performance while optimizing costs, eliminating manual scaling operations.

Maximize efficiency by connecting multiple VPC endpoints to a single firewall instance. Reduce operational overhead and costs through consolidated security management across multiple VPCs. This flexible architecture supports diverse deployment patterns while ensuring consistent policy enforcement throughout your AWS environment.

Monitor network activity through detailed alert and flow logging with CloudWatch. Track rule matches and session data through alert logs, while flow logs provide bidirectional traffic state information. Store logs in Amazon S3, Kinesis, or CloudWatch for integration with existing analysis workflows.

Streamline security operations by centrally managing policies across your entire AWS organization. Deploy consistent rules and controls across multiple accounts, applications, and VPCs through hierarchical policy management. The automated compliance monitoring and remediation capabilities help maintain security standards as your infrastructure grows, while providing clear visibility into policy adherence across your organization.

Implement network security controls using native integration with AWS services. Use Transit Gateway for a centralized architecture, VPC for traffic routing, IAM for access management, and CloudWatch for operational monitoring.

Enhance security capabilities through a rich network of partner solutions and integrations. Connect with leading security partners for policy orchestration and threat intelligence feeds, while maintaining existing security investments. Export security events and log data to your preferred SIEM solution, enabling comprehensive security analysis across your entire infrastructure. See a full list of AWS Network Firewall partners