AWS Network Firewall FAQs

General

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be set up with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats or import compatible rules sourced from AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

The AWS Network Firewall infrastructure is managed by AWS, so you don’t have to worry about building and maintaining your own network security infrastructure. AWS Network Firewall works with AWS Firewall Manager, so you can centrally manage security policies and automatically enforce mandatory security policies across existing and newly created accounts and VPCs. AWS Network Firewall has a highly flexible rules engine, so you can build custom firewall rules to protect your unique workloads. AWS Network Firewall supports thousands of rules, and the rules can be based on domain, port, protocol, IP addresses, and pattern matching.

AWS Network Firewall includes features that protect from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known-bad URLs and monitor fully qualified domain names.

AWS Network Firewall gives you control and visibility of VPC-to-VPC traffic to logically separate networks hosting sensitive applications or line-of-business resources. AWS Network Firewall provides URL, IP address, and domain-based outbound traffic filtering to help you meet compliance requirements, stop potential data leaks, and block communication with known malware hosts. AWS Network Firewall secures AWS Direct Connect and AWS VPN traffic running through AWS Transit Gateway from client devices and your on-premises environments. AWS Network Firewall protects application availability by filtering inbound Internet traffic using features such as Access Control List (ACL) rules, stateful inspection, protocol detection, and intrusion prevention.

AWS Network Firewall is designed to protect and control access to and from your VPC, but not to mitigate volumetric attacks, like distributed denial of service (DDoS), that can impact the availability of your application. To protect against DDoS attacks and ensure application availability, we recommend customers review and adhere to our AWS Best Practices for DDoS Resiliency, and also explore AWS Shield Advanced, which offers managed DDoS protection customized to your specific application traffic.

AWS Network Firewall complements existing network and application security services on AWS by providing control and visibility to Layer 3-7 network traffic for your entire VPC. Depending on your use case, you may choose to implement AWS Network Firewall along your existing security controls, such as Amazon VPC Security Groups, AWS Web Application Firewall rules, or AWS Marketplace appliances.

AWS Network Firewall pricing is based on the number of firewalls deployed and the amount of traffic inspected. Please visit AWS Network Firewall Pricing for more information.

For more information on regional availability for AWS Network Firewall, see the AWS region table.

A number of AWS Partner Network (APN) Partners offer products that complement existing AWS services to enable you to deploy a seamless and comprehensive security architecture across AWS and your on-premises environment. For a current list of APN Partners offering products that complement AWS Network Firewall, see AWS Network Firewall partners.

AWS Network Firewall offers a Service Level Agreement with an uptime commitment of 99.99%. AWS Network Firewall enables you to automatically scale your firewall capacity up or down based on traffic load to maintain steady, predictable performance to minimize costs.

AWS Network Firewall is subject to service quotas for the number of firewalls, firewall policies, and rules groups that you can create and for other settings, such as the number of stateless or stateful rule groups you can have in a single firewall policy. For additional details about service quotas, including information about how to request a service quota increase, see the AWS Network Firewall quotas page.

Getting started with AWS Network Firewall

AWS Network Firewall supports two primary deployment types: centralized and distributed. When distributed, the AWS Network Firewall can be deployed within each of your Amazon VPCs for enforcement closer to the applications. AWS Network Firewall also supports a centralized deployment as a VPC attachment to your AWS Transit Gateway. With the Network Firewall in Transit Gateway mode, which maintains symmetric routing to the same zonal firewall, you can filter a variety of inbound and outbound traffic to or from Internet Gateways, Direct Connect gateways, PrivateLink, VPN Site-to-Site and Client gateways, NAT gateways, and even between other attached VPCs and subnets.

AWS Network Firewall is deployed as an endpoint service, similar to other network services such as AWS PrivateLink. Your AWS Network Firewall endpoint must be deployed in a dedicated subnet within your Amazon VPC, with a minimum size of /28. AWS Network Firewall inspects all traffic that is routed to the endpoint, which is the mechanism for path insertion and filtering. Through the AWS Firewall Manager Console, or through partner solutions that integrate with AWS Firewall Manager, you can centrally build configurations and policies using various rule types, such as stateless access control lists (ACLs), stateful inspection, and intrusion prevention systems (IPSs). Because AWS Network Firewall is an AWS managed service, AWS takes care of scaling, availability, resiliency, and software updates.

Yes. AWS Network Firewall is a regional service and secures network traffic at an organization and account level. For maintaining policy and governance across multiple accounts, you may want to use AWS Firewall Manager.

An AWS Network Firewall policy defines the monitoring and protection behavior of a firewall. The details of that behavior are defined in the rule groups that you add to your policy or in certain default policy settings. To use a firewall policy, you associate the policy with one or more firewalls.

A rule group is a reusable set of firewall rules for inspecting and filtering network traffic. You can use stateless or stateful rule groups to configure the traffic inspection criteria for your firewall policies. You can create your own rule groups or you can use rule groups that are managed by AWS Marketplace Sellers. For more information, please refer to the AWS Network Firewall Developer Guide.

AWS Network Firewall supports both stateless and stateful rules. Stateless rules consist of network access control lists (ACLs), which can be based on source and destination IP addresses, ports, or protocols. Stateful, or Layer-4, rules are also defined by source and destination IP addresses, ports, and protocols but differ from stateless rules in that they maintain and secure connections or sessions throughout the life of the connection or session.

Working with AWS Network Firewall

You can log your AWS Network Firewall activity to an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to port your logs to a third-party provider.

Yes. You can deploy AWS Network Firewall within your VPC and then attach that VPC to a TGW. For more information about this configuration, see the Deployment models for AWS Network Firewall blog post.

AWS Network Firewall already uses AWS Gateway Load Balancer to provide elastic scalability for the firewall endpoint and does not require separate integration. You can observe this by checking the firewall endpoint elastic network interface (ENI), which uses “gateway_load_balancer_endpoint” type.

AWS Network Firewall supports the following types of outbound traffic control: HTTPS (SNI)/HTTP protocol URL filtering, Access Control Lists (ACLs), DNS query, and protocol detection.

AWS Network Firewall does support deep packet inspection for encrypted traffic.

Inspecting encrypted traffic with AWS Network Firewall

You can configure AWS Network Firewall TLS inspection from either the Amazon VPC Console or the Network Firewall API. Set up is a 3-step process. Follow the steps in the AWS Network Firewall service documentation to 1) provision certificates and keys, 2) create a TLS inspection configuration, and 3) apply the configuration to a firewall policy.

The service supports TLS version 1.1, 1.2, and 1.3 with the exception of encrypted client hello (ECH) and encrypted SNI (ESNI).

AWS Network Firewall supports all cipher suites supported by AWS Certificate Manager (ACM). Refer to TLS inspection considerations in the service documentation for details.

AWS Network Firewall pricing is based on the number of firewalls deployed and the amount of traffic inspected. Please visit AWS Network Firewall Pricing for more information about ingress TLS inspection cost.

We expect to maintain the current AWS Network Firewall bandwidth performance with this new feature release. We recommend that customers conduct their own testing using their rulesets to ensure the service meets their performance expectations.