Dynamic Object and Rule Extensions for AWS Network Firewall


The Dynamic Object and Rule Extensions for AWS Network Firewall solution provides a mechanism to specify elastic and dynamic cloud resources as objects that can be easily referenced within AWS Network Firewall rules. The solution automatically synchronizes such rules to the current state of the referenced AWS resources, as they are scaled in or out, and updated.


Create firewall rules that reference elastic AWS resources

Define firewall rules between elastic and dynamic AWS resources easily and efficiently, without worrying about dynamically allocated IP addresses in the cloud, in advance.

Maintain security principle of least privilege

No longer create firewall rules covering entire AWS accounts, VPCs, subnets or Classless Inter-Domain Routing (CIDR) blocks, as firewall rules reference simple objects that you define and manage.

Reduce ongoing maintenance overheads

Firewall rules no longer require constant and manual maintenance, as AWS Network Firewall is automatically and continually configured to allow only the relevant flows based on the current configuration of referenced AWS resources. Rules are pruned when elastic resources no longer exist and synchronized if cloud resources are redeployed.

Reduce direct, manual coordination between application, networking, and security teams

Create dynamic objects and rules via APIs and validate such requests against organizational policy-as-code and/or security approval processes.

Technical details

You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.

Use cases for this AWS Solution
  • Headline
Deployment options
Ready to get started?

Note: Before you launch the solution in the AWS Management Console, ensure that you meet the prerequisites in the implementation guide.

Was this page helpful?