Amazon Network Firewall FAQs

General

What is Amazon Network Firewall?
Amazon Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be set up with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats. Amazon Network Firewall works together with Amazon Firewall Manager so you can build policies based on Amazon Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
What are the key benefits of Amazon Network Firewall?
The Amazon Network Firewall infrastructure is managed by us, so you don’t have to worry about building and maintaining your own network security infrastructure. Amazon Network Firewall works with Amazon Firewall Manager, so you can centrally manage security policies and automatically enforce mandatory security policies across existing and newly created accounts and VPCs. Amazon Network Firewall has a highly flexible rules engine, so you can build custom firewall rules to protect your unique workloads. Amazon Network Firewall supports thousands of rules, and the rules can be based on domain, port, protocol, IP addresses, and pattern matching.
How does Amazon Network Firewall protect my VPC?
Amazon Network Firewall includes features that protect from common network threats. Amazon Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. Amazon Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. Amazon Network Firewall also offers web filtering that can stop traffic to known-bad URLs and monitor fully qualified domain names.
When should I use Amazon Network Firewall?
Amazon Network Firewall gives you control and visibility of VPC-to-VPC traffic to logically separate networks hosting sensitive applications or line-of-business resources. Amazon Network Firewall provides URL, IP address, and domain-based outbound traffic filtering to help you meet compliance requirements, stop potential data leaks, and block communication with known malware hosts. Amazon Network Firewall secures Amazon Direct Connect traffic running through Amazon Transit Gateway from client devices and your on-premises environments. Amazon Network Firewall protects application availability by filtering inbound Internet traffic using features such as Access Control List (ACL) rules, stateful inspection, protocol detection, and intrusion prevention.
How is Amazon Network Firewall different from other firewall offerings on Amazon Web Services Cloud and the Amazon Web Services Marketplace?
Amazon Network Firewall complements existing network and application security services on Amazon Web Services Cloud by providing control and visibility to Layer 3-7 network traffic for your entire VPC. Depending on your use case, you may choose to implement Amazon Network Firewall along your existing security controls, such as Amazon VPC Security Groups, Amazon Web Application Firewall rules, or Amazon Web Services Marketplace appliances.
How much does Amazon Network Firewall cost?
Amazon Network Firewall pricing is based on the number of firewalls deployed and the amount of traffic inspected. Please visit Amazon Network Firewall Pricing for more information.
Does Amazon Network Firewall offer a Service Level Agreement?
Amazon Network Firewall offers a Service Level Agreement with an uptime commitment of 99.99%. Amazon Network Firewall enables you to automatically scale your firewall capacity up or down based on traffic load to maintain steady, predictable performance to minimize costs.
What are the service quotas for Amazon Network Firewall?
Amazon Network Firewall is subject to service quotas for the number of firewalls, firewall policies, and rules groups that you can create and for other settings, such as the number of stateless or stateful rule groups you can have in a single firewall policy. For additional details about service quotas, including information about how to request a service quota increase, see the Amazon Network Firewall quotas page.

Getting started with Amazon Network Firewall

What is the typical deployment model for Amazon Network Firewall?

Amazon Network Firewall supports two primary deployment types: centralized and distributed. When distributed, the Amazon Network Firewall can be deployed within each of your Amazon VPCs for enforcement closer to the applications. Amazon Network Firewall also supports a centralized deployment as a VPC attachment to your Amazon Transit Gateway. With the Network Firewall in Transit Gateway mode, which maintains symmetric routing to the same zonal firewall, you can filter a variety of inbound and outbound traffic to or from Internet Gateways, Direct Connect gateways, PrivateLink, NAT gateways, and even between other attached VPCs and subnets.

How do I enable Amazon Network Firewall?

Amazon Network Firewall is deployed as an endpoint service, similar to other network services such as Amazon PrivateLink. Your Amazon Network Firewall endpoint must be deployed in a dedicated subnet within your Amazon VPC, with a minimum size of /28. Amazon Network Firewall inspects all traffic that is routed to the endpoint, which is the mechanism for path insertion and filtering. Through the Amazon Firewall Manager Console, or through partner solutions that integrate with Amazon Firewall Manager, you can centrally build configurations and policies using various rule types, such as stateless access control lists (ACLs), stateful inspection, and intrusion prevention systems (IPSs). Because Amazon Network Firewall is a managed service, we take care of scaling, availability, resiliency, and software updates.

Can Amazon Network Firewall manage security across multiple Amazon Web Services accounts?

Yes. Amazon Network Firewall is a regional service and secures network traffic at an organization and account level. For maintaining policy and governance across multiple accounts, you may want to use Amazon Firewall Manager.

What’s a firewall policy?

An Amazon Network Firewall policy defines the monitoring and protection behavior of a firewall. The details of that behavior are defined in the rule groups that you add to your policy or in certain default policy settings. To use a firewall policy, you associate the policy with one or more firewalls.

What’s a rule group?

A rule group is a reusable set of firewall rules for inspecting and filtering network traffic. You can use stateless or stateful rule groups to configure the traffic inspection criteria for your firewall policies. You can create your own rule groups or you can use rule groups that are managed by Amazon Web Services Marketplace Sellers. For more information, please refer to the Amazon Network Firewall Developer Guide.

What types of firewall rules are supported?

Amazon Network Firewall supports both stateless and stateful rules. Stateless rules consist of network access control lists (ACLs), which can be based on source and destination IP addresses, ports, or protocols. Stateful, or Layer-4, rules are also defined by source and destination IP addresses, ports, and protocols but differ from stateless rules in that they maintain and secure connections or sessions throughout the life of the connection or session.

Working with Amazon Network Firewall

Which Amazon Web Services tools can I use to log and monitor my Amazon Network Firewall activity?

You can log your Amazon Network Firewall activity to an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to port your logs to a third-party product.

Can I use Amazon Network Firewall with my Transit Gateway (TGW)?

Yes. You can deploy Amazon Network Firewall within your VPC and then attach that VPC to a TGW. For more information about this configuration, see the Deployment models for Amazon Network Firewall blog post.

Can I use Amazon Network Firewall with Amazon Gateway Load Balancer (GWLB)?

Amazon Network Firewall already uses Amazon Gateway Load Balancer to provide elastic scalability for the firewall endpoint and does not require separate integration. You can observe this by checking the firewall endpoint elastic network interface (ENI), which uses “gateway_load_balancer_endpoint” type.

Which types of outbound traffic control does Amazon Network Firewall support?

Amazon Network Firewall supports the following types of outbound traffic control: HTTPS (SNI)/HTTP protocol URL filtering, Access Control Lists (ACLs), DNS query, and protocol detection.

Can Amazon Network Firewall inspect encrypted traffic?

Amazon Network Firewall does support deep packet inspection for encrypted traffic.

Inspecting encrypted traffic with Amazon Network Firewall

How do I configure TLS inspection on Amazon Network Firewall?

You can configure Amazon Network Firewall TLS inspection from either the Amazon VPC Console or the Network Firewall API. Set up is a 3-step process. Follow the steps in the Amazon Network Firewall service documentation to 1) provision certificates and keys, 2) create a TLS inspection configuration, and 3) apply the configuration to a firewall policy.

Which TLS versions does Amazon Network Firewall support?

The service supports TLS version  1.2, and 1.3 with the exception of encrypted client hello (ECH) and encrypted SNI (ESNI).

Which cipher suites are supported by Amazon Network Firewall?

Amazon Network Firewall supports all cipher suites supported by Amazon Certificate Manager (ACM). Refer to TLS inspection considerations in the service documentation for details.

Is there any additional cost to use TLS inspection?

Amazon Network Firewall pricing is based on the number of firewalls deployed and the amount of traffic inspected. Please visit Amazon Network Firewall Pricing for more information about ingress TLS inspection cost.

Are there any known performance implications for TLS inspection?

We expect to maintain the current Amazon Network Firewall bandwidth performance with this new feature release. We recommend that customers conduct their own testing using their rulesets to ensure the service meets their performance expectations.

Getting Started with Cloud

Find product-specific user guides, training and tutorials 

View now »
Simple Application Server

Lightweight app servers demystified: concepts, management, scenarios, Amazon Web Services integration

Learn now »
Cloud Phone

Cloud phones : virtual mobile solutions - technology, architecture, advantages, challenges, and future outlook

Learn now »

Start to Build for Free with Amazon Web Services

Start to Build for Free with Amazon Web Services

China Regions Free Tier
Global Regions Free Tier
Close
Live Chat Contact Us

Live Chat Contact Us

Chat with expert to help you
Hot Contact Us

Hotline Contact Us

1010 0766
Beijing Region
Operated By Sinnet
1010 0966
Ningxia Region
Operated By NWCD
Form Contact Us

Form Contact Us

Submit form to contact with solution consultant