AWS Network Firewall: Managed Network Protection Service 🛡️

Series: The Solutions Architect's Guide | Category: Security, Identity, and Compliance

Fourteenth post in the Security, Identity, and Compliance category, and we’re exploring AWS Network Firewall, the managed network security service that provides stateful inspection, intrusion prevention, and deep packet inspection for your Amazon VPCs, protecting network traffic at the perimeter with fine-grained control over inbound and outbound traffic using flexible rule configurations without the operational overhead of deploying and managing third-party firewall appliances.

Let’s break it down. 👇

What It Is

AWS Network Firewall is a managed service that provides customizable, stateful, and stateless network traffic filtering for your Amazon VPC. It helps protect VPC networks by inspecting and controlling inbound and outbound traffic at the subnet level.

Key Features

• Managed, highly available, and scalable firewall service

• Supports both stateful and stateless inspection rules

• Deep packet inspection (DPI) and domain list rule groups

• Integration with AWS Firewall Manager for centralized management

• Supports Suricata-compatible rule sets for advanced inspection

• Provides logging to Amazon S3, CloudWatch, and Kinesis Data Firehose

• Automatically scales to meet traffic demands

• Built-in high availability within an Availability Zone

Components

• Firewall: Defines the inspection policies and logging settings

• Firewall Policy: Contains rule groups and settings for traffic handling

• Rule Groups: Sets of stateless or stateful rules to inspect traffic

• Stateless Rules: Match criteria based on header fields without maintaining session state

• Stateful Rules: Track and inspect connection state for advanced filtering

• Domain List Rules: Allow or deny based on domain names in DNS traffic

• Logging Configuration: Define how flow logs and alert logs are sent to S3, CloudWatch Logs, or Firehose

Traffic Flow

• Deployed in a VPC subnet using AWS Gateway Load Balancer or as a VPC ingress/egress filter

• Traffic is routed through the firewall endpoint for inspection

• Supports routing rules in route tables to redirect traffic to firewall endpoints

Use Cases

• Protecting VPC subnets with inbound and outbound filtering

• Enforcing security policies across workloads in multiple accounts using AWS Firewall Manager

• Detecting and blocking known bad IP addresses and domains

• Deep packet inspection for application-layer threats

• Preventing data exfiltration through domain-based filtering

Deployment

• Integrated with AWS Transit Gateway for centralized inspection of traffic between VPCs

• Can be deployed in individual VPCs for distributed architectures

• Automatically scales horizontally to meet throughput demands

• High availability within an AZ; deploy across multiple AZs for cross-AZ resilience

Logging and Monitoring

• Send alert and flow logs to S3, CloudWatch Logs, or Kinesis Data Firehose

• Supports detailed analysis and forensic investigations

• Integration with CloudWatch Metrics for monitoring throughput and packet counts

• Can trigger CloudWatch Alarms for anomalies in traffic patterns

Integration with Other AWS Services

• AWS Firewall Manager: Centrally configure and deploy firewall policies across accounts and VPCs in AWS Organizations

• AWS Transit Gateway: Integrate for centralized inspection of East-West and North-South traffic

• Amazon VPC: Direct integration for ingress and egress filtering

• AWS Security Hub: Aggregate findings and integrate with other security tooling

Pricing

• Charged based on firewall endpoint hours and the amount of traffic processed

• Separate pricing for stateful and stateless rule evaluations

• Logging costs based on delivery to S3, CloudWatch Logs, or Firehose

Best Practices

• Use AWS Firewall Manager for multi-account, multi-VPC management

• Define clear segmentation in VPC subnets to control traffic flow

• Maintain and update Suricata-compatible rule sets to address evolving threats

• Enable logging for audit and compliance purposes

• Deploy across multiple AZs for high availability

Exam Tips

• AWS Network Firewall provides stateful and stateless filtering at the VPC level

• Supports integration with AWS Firewall Manager for centralized policy enforcement

• Can inspect traffic between VPCs via Transit Gateway integration

• Uses Suricata-compatible rules for deep packet inspection

• Provides logging to S3, CloudWatch Logs, and Firehose for compliance and auditing

• Scales automatically with traffic without user-managed infrastructure

Quick Summary

AWS Network Firewall is a fully managed, scalable service that delivers customizable traffic filtering at the VPC level. It supports both stateful and stateless inspection, integrates with AWS services like Firewall Manager and Transit Gateway, and provides logging for compliance and auditing, helping secure AWS workloads against network threats.

Next up: AWS Resource Access Manager (RAM) 🤝