AWS Network Firewall

A managed service for deep packet inspection and traffic filtering within Amazon VPCs.

AWS Proprietary Cloud Service Only
Category Network Security
Last page update 18 days ago
Pricing Details Pricing based on usage and configuration.
Target Audience AWS users needing advanced network security solutions.

AWS Network Firewall addresses the complex challenge of securing network traffic within Amazon Virtual Private Clouds (VPCs) by providing a managed service for deep packet inspection and traffic filtering. This service allows for fine-grained control over network traffic, enabling the deployment of custom firewall rules to protect unique workloads.

The technical architecture of AWS Network Firewall involves several key components. Firewalls are configured to connect to specific VPCs, defining the network traffic filtering behavior through firewall policies. These policies are composed of rule groups, which can be either stateless or stateful, allowing for the inspection of packets in isolation or within the context of their traffic flow. The service supports thousands of custom rules based on port, protocol, and fully qualified domain names (FQDNs), and it integrates with AWS Managed domain lists and threat signatures for enhanced security.

Operational considerations include ensuring symmetric routing in the VPC to direct traffic through the firewall endpoints for inspection. Asymmetric routing is not supported, so route tables must be configured to handle network flows in both directions. When using AWS Transit Gateway (TGW) in a centralized deployment, appliance mode must be enabled to ensure correct traffic evaluation against the firewall policy.

From a deployment perspective, AWS Network Firewall can be configured in various models, including distributed, centralized, and combined models. For resilience, it is recommended to deploy firewall endpoints in each Availability Zone (AZ) where workloads are present. Additionally, encryption of the Network Firewall configuration data at rest can be achieved using a customer-managed KMS key.

In terms of specific technical details, AWS Network Firewall supports both L3-L7 protections and can handle tens of thousands of rules. It integrates with other AWS services like AWS Transit Gateway and AWS Firewall Manager for centralized management across multiple accounts and VPCs.

Improve this page