What is AWS Network Firewall?
AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC).
With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection. Network Firewall supports Suricata compatible rules.
You can use Network Firewall to monitor and protect your Amazon VPC traffic in a number of ways, including the following:
- Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3.
- Use custom lists of known bad domains to limit the types of domain names that your applications can access.
- Perform deep packet inspection on traffic entering or leaving your VPC.
- Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.
Network Firewall is supported by AWS Firewall Manager. You can use Firewall Manager to centrally configure and manage your firewalls across your accounts and applications in AWS Organizations. You can manage firewalls for multiple accounts using a single account in Firewall Manager.
AWS Network Firewall concepts
AWS Network Firewall is a firewall service for Amazon Virtual Private Cloud (Amazon VPC).
The following are the key concepts for Network Firewall:
- Virtual private cloud (VPC) – A virtual network dedicated to your AWS account.
- Internet gateway – A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.
- Subnet – A range of IP addresses in your VPC. Network Firewall creates firewall endpoints in subnets inside your VPC, to filter network traffic. In a VPC architecture that uses Network Firewall, the firewall endpoints sit between your protected subnets and locations outside your VPC.
- Firewall subnet – A subnet that you’ve designated for exclusive use by Network Firewall for a firewall endpoint. A firewall endpoint can’t filter traffic coming into or going out of the subnet in which it resides, so don’t use your firewall subnets for anything other than Network Firewall.
- Route table – A set of rules, called routes, that are used to determine where network traffic is directed. You modify your VPC route tables in Amazon VPC to direct traffic through your firewalls for filtering.
- Network Firewall firewall – An AWS resource that provides traffic filtering logic for the subnets in a VPC.
- Network Firewall firewall policy – An AWS resource that defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.
- Network Firewall rule group – An AWS resource that defines a set of rules to match against VPC traffic, and the actions to take when Network Firewall finds a match.
- Stateless rules – Criteria for inspecting a single network traffic packet, without the context of the other packets in the traffic flow, the direction of flow, or any other information that’s not provided by the packet itself.
- Stateful rules – Criteria for inspecting network traffic packets in the context of their traffic flow.