What does this AWS Solution do?
Firewall Automation for Network Traffic on AWS configures the AWS resources needed to filter network traffic. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon VPCs.
Automatically deploy changes to AWS Network Firewall
Centrally manage your AWS Network Firewall
Audit and track changes to AWS Network Firewall
AWS Solution overview
The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

Firewall Automation for Network Traffic on AWS architecture
The AWS CloudFormation template deploys an inspection VPC with a total of four subnets in randomly selected availability zones in the Region where the solution is deployed. Two of the subnets are used to create VPC Transit Gateway attachments if you provide an existing AWS Transit Gateway ID. The other two subnets are used to create AWS Network Firewall endpoints in two randomly selected availability zones.
This template creates a new AWS CodeCommit repository and a network firewall configuration that allows all network traffic by default. This template also includes a set of examples to help you create new rule groups. You can modify the configuration package in the CodeCommit repository, which will invoke the AWS CodePipeline to run the validation and deployment stages.
This solution creates Amazon VPC route tables for each availability zone with a default route destination. A shared route table with firewall subnets is also created with the transit gateway ID as the default route destination.
This solution also creates two AWS Key Management Service (AWS KMS) encryption keys. One of the keys is used to encrypt objects in the Amazon Simple Storage Service (Amazon S3) artifact, source code buckets, and AWS CodeBuild projects. The second key is used to encrypt the AWS Network Firewall log destinations. AWS Identity and Access Management (IAM) roles are created to grant permissions to AWS CodePipeline and AWS CodeBuild stages in order to access Amazon S3 buckets and manage AWS Network Firewall resources.
Firewall Automation for Network Traffic on AWS
Version 1.0.2
Release date: 01/2023
Author: AWS
Estimated deployment time: 7 min

Browse our library of AWS Solutions to get answers to common architectural problems.

Find AWS Partners to help you get started.

Find prescriptive architectural diagrams, sample code, and technical content for common use cases.