What does this AWS Solution do?

Firewall Automation for Network Traffic on AWS configures the AWS resources needed to filter network traffic. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon VPCs. 

Automatically deploy changes to AWS Network Firewall

This solution allows you to modify rule groups and firewall policies in the configuration package in the AWS CodeCommit repository. This automatically invokes the AWS CodePipeline to run validation and deployment.

Centrally manage your AWS Network Firewall

With this solution, you can inspect hundreds or thousands of Amazon VPCs and accounts in one place. You can also centrally configure and manage your AWS Network Firewall, firewall policies, and rule groups.

Audit and track changes to AWS Network Firewall

This solution helps you collaborate and manage the changes to the AWS Network Firewall configuration by using GitOps workflow.

AWS Solution overview

The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

AWS Network Firewall Deployment Automations for AWS Transit Gateway Architecture Diagram
 Click to enlarge

Firewall Automation for Network Traffic on AWS Solution architecture

The AWS CloudFormation template deploys an inspection VPC with a total of four subnets in randomly selected availability zones in the Region where the solution is deployed. Two of the subnets are used to create VPC Transit Gateway attachments if you provide an existing AWS Transit Gateway ID. The other two subnets are used to create AWS Network Firewall endpoints in two randomly selected availability zones. 

This template creates a new AWS CodeCommit repository and a network firewall configuration that allows all network traffic by default. This template also includes a set of examples to help you create new rule groups. You can modify the configuration package in the CodeCommit repository, which will invoke the AWS CodePipeline to run the validation and deployment stages.

This solution creates Amazon VPC route tables for each availability zone with a default route destination. A shared route table with firewall subnets is also created with the transit gateway ID as the default route destination.

This solution also creates two AWS Key Management Service (AWS KMS) encryption keys. One of the keys is used to encrypt objects in the Amazon Simple Storage Service (Amazon S3) artifact, source code buckets, and AWS CodeBuild projects. The second key is used to encrypt the AWS Network Firewall log destinations. AWS Identity and Access Management (IAM) roles are created to grant permissions to AWS CodePipeline and AWS CodeBuild stages in order to access Amazon S3 buckets and manage AWS Network Firewall resources.

Firewall Automation for Network Traffic on AWS

Version 1.0.1
Release date: 04/2021
Author: AWS

Estimated deployment time: 7 min

Estimated Cost  Source Code  CloudFormation template 
Use the button below to subscribe to updates for this Solutions Implementation.
Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.
Did this Solutions Implementation help you?
Provide feedback 
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more