Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
General
Getting started with Amazon Network Firewall
Amazon Network Firewall supports two primary deployment types: centralized and distributed. When distributed, the Amazon Network Firewall can be deployed within each of your Amazon VPCs for enforcement closer to the applications. Amazon Network Firewall also supports a centralized deployment as a VPC attachment to your Amazon Transit Gateway. With the Network Firewall in Transit Gateway mode, which maintains symmetric routing to the same zonal firewall, you can filter a variety of inbound and outbound traffic to or from Internet Gateways, Direct Connect gateways, PrivateLink, NAT gateways, and even between other attached VPCs and subnets.
Amazon Network Firewall is deployed as an endpoint service, similar to other network services such as Amazon PrivateLink. Your Amazon Network Firewall endpoint must be deployed in a dedicated subnet within your Amazon VPC, with a minimum size of /28. Amazon Network Firewall inspects all traffic that is routed to the endpoint, which is the mechanism for path insertion and filtering. Through the Amazon Firewall Manager Console, or through partner solutions that integrate with Amazon Firewall Manager, you can centrally build configurations and policies using various rule types, such as stateless access control lists (ACLs), stateful inspection, and intrusion prevention systems (IPSs). Because Amazon Network Firewall is a managed service, we take care of scaling, availability, resiliency, and software updates.
Yes. Amazon Network Firewall is a regional service and secures network traffic at an organization and account level. For maintaining policy and governance across multiple accounts, you may want to use Amazon Firewall Manager.
An Amazon Network Firewall policy defines the monitoring and protection behavior of a firewall. The details of that behavior are defined in the rule groups that you add to your policy or in certain default policy settings. To use a firewall policy, you associate the policy with one or more firewalls.
A rule group is a reusable set of firewall rules for inspecting and filtering network traffic. You can use stateless or stateful rule groups to configure the traffic inspection criteria for your firewall policies. You can create your own rule groups or you can use rule groups that are managed by Amazon Web Services Marketplace Sellers. For more information, please refer to the Amazon Network Firewall Developer Guide.
Amazon Network Firewall supports both stateless and stateful rules. Stateless rules consist of network access control lists (ACLs), which can be based on source and destination IP addresses, ports, or protocols. Stateful, or Layer-4, rules are also defined by source and destination IP addresses, ports, and protocols but differ from stateless rules in that they maintain and secure connections or sessions throughout the life of the connection or session.
Working with Amazon Network Firewall
You can log your Amazon Network Firewall activity to an Amazon S3 bucket for further analysis and investigation. You can also use Amazon Kinesis Firehose to port your logs to a third-party product.
Yes. You can deploy Amazon Network Firewall within your VPC and then attach that VPC to a TGW. For more information about this configuration, see the Deployment models for Amazon Network Firewall blog post.
Amazon Network Firewall already uses Amazon Gateway Load Balancer to provide elastic scalability for the firewall endpoint and does not require separate integration. You can observe this by checking the firewall endpoint elastic network interface (ENI), which uses “gateway_load_balancer_endpoint” type.
Amazon Network Firewall supports the following types of outbound traffic control: HTTPS (SNI)/HTTP protocol URL filtering, Access Control Lists (ACLs), DNS query, and protocol detection.
Amazon Network Firewall does support deep packet inspection for encrypted traffic.
Inspecting encrypted traffic with Amazon Network Firewall
You can configure Amazon Network Firewall TLS inspection from either the Amazon VPC Console or the Network Firewall API. Set up is a 3-step process. Follow the steps in the Amazon Network Firewall service documentation to 1) provision certificates and keys, 2) create a TLS inspection configuration, and 3) apply the configuration to a firewall policy.
The service supports TLS version 1.2, and 1.3 with the exception of encrypted client hello (ECH) and encrypted SNI (ESNI).
Amazon Network Firewall supports all cipher suites supported by Amazon Certificate Manager (ACM). Refer to TLS inspection considerations in the service documentation for details.
Amazon Network Firewall pricing is based on the number of firewalls deployed and the amount of traffic inspected. Please visit Amazon Network Firewall Pricing for more information about ingress TLS inspection cost.
We expect to maintain the current Amazon Network Firewall bandwidth performance with this new feature release. We recommend that customers conduct their own testing using their rulesets to ensure the service meets their performance expectations.