AWS Network Firewall

(1)

AWS Network Firewall

Developer Guide

(2)

AWS Network Firewall: Developer Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Network Firewall?

AWS Network Firewall is a stateful, managed, network ﬁrewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you created in Amazon Virtual Private Cloud (Amazon VPC).

With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.

Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection.

Network Firewall supports Suricata compatible rules. For more information, see Stateful rule groups in AWS Network Firewall (p. 43).

You can use Network Firewall to monitor and protect your Amazon VPC traﬃc in a number of ways, including the following:

• Pass traﬃc through only from known AWS service domains or IP address endpoints, such as Amazon S3.

• Use custom lists of known bad domains to limit the types of domain names that your applications can access.

• Perform deep packet inspection on traﬃc entering or leaving your VPC.

• Use stateful protocol detection to ﬁlter protocols like HTTPS, independent of the port used.

To enable Network Firewall for your VPC, you perform steps in both Amazon VPC and in Network Firewall. For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide. For more information about how Network Firewall works, see How AWS Network Firewall works (p. 5).

Network Firewall is supported by AWS Firewall Manager. You can use Firewall Manager to centrally conﬁgure and manage your ﬁrewalls across your accounts and applications in AWS Organizations.

You can manage ﬁrewalls for multiple accounts using a single account in Firewall Manager. For more information, see AWS Firewall Manager in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

Topics

• AWS Network FirewallAWS resources (p. 1)

• AWS Network Firewall concepts (p. 2)

• Accessing AWS Network Firewall (p. 2)

• Regions and endpoints for AWS Network Firewall (p. 3)

• Pricing for AWS Network Firewall (p. 3)

• AWS Network Firewall quotas (p. 3)

• AWS Network Firewall additional resources (p. 4)

AWS Network FirewallAWS resources

Network Firewall manages the following AWS resource types:

• Firewall – Provides traﬃc ﬁltering logic for the subnets in a VPC.

(7)

Network Firewall concepts

• FirewallPolicy – Defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.

• RuleGroup – Defines a set of rules to match against VPC traffic, and the actions to take when Network Firewall finds a match. Network Firewall uses stateless and stateful rule group types, each with its own Amazon Resource Name (ARN).

AWS Network Firewall concepts

AWS Network Firewall is a ﬁrewall service for Amazon Virtual Private Cloud (Amazon VPC). For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide.

The following are the key concepts for Network Firewall:

• Virtual private cloud (VPC) – A virtual network dedicated to your AWS account.

• Internet gateway – A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.

• Subnet – A range of IP addresses in your VPC. Network Firewall creates firewall endpoints in subnets inside your VPC, to filter network traffic. In a VPC architecture that uses Network Firewall, the firewall endpoints sit between your protected subnets and locations outside your VPC.

• Firewall subnet – A subnet that you've designated for exclusive use by Network Firewall for a firewall endpoint. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't use your firewall subnets for anything other than Network Firewall.

• Route table – A set of rules, called routes, that are used to determine where network traﬃc is directed.

You modify your VPC route tables in Amazon VPC to direct traffic through your firewalls for filtering.

• Network Firewall firewall – An AWS resource that provides traffic filtering logic for the subnets in a VPC.

• Network Firewall firewall policy – An AWS resource that defines rules and other settings for a firewall to use to filter incoming and outgoing traffic in a VPC.

• Network Firewall rule group – An AWS resource that defines a set of rules to match against VPC traffic, and the actions to take when Network Firewall finds a match.

• Stateless rules – Criteria for inspecting a single network traffic packet, without the context of the other packets in the traffic flow, the direction of flow, or any other information that's not provided by the packet itself.

• Stateful rules – Criteria for inspecting network traffic packets in the context of their traffic flow.

Accessing AWS Network Firewall

You can create, access, and manage your ﬁrewall, ﬁrewall policy, and rule group resources in Network Firewall using any of the following methods:

• AWS Management Console – Provides a web interface for managing the service. The procedures throughout this guide explain how to use the AWS Management Console to perform tasks for Network Firewall. You can access the AWS Management Console at https://aws.amazon.com/console. To access Network Firewall using the console:

https://<region>.console.aws.amazon.com/network-firewall/home

• AWS Command Line Interface (AWS CLI) – Provides commands for a broad set of AWS services, including Network Firewall. The CLI is supported on Windows, macOS, and Linux. For more

(8)

Regions and endpoints for Network Firewall

information, see the AWS Command Line Interface User Guide. To access Network Firewall using the CLI endpoint:

aws network-firewall

• AWS Network Firewall API – Provides a RESTful API. The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and handling errors. For more

information, see AWS APIs and the AWS Network Firewall API Reference. To access Network Firewall, use the following REST API endpoint:

https://network-firewall.<region>.amazonaws.com

• AWS SDKs – Provide language-speciﬁc APIs. If you're using a programming language that AWS provides an SDK for, you can use the SDK to access AWS Network Firewall. The SDKs handle many of the connection details, such as calculating signatures, handling request retries, and handling errors. They integrate easily with your development environment, and provide easy access to Network Firewall commands. For more information, see Tools for Amazon Web Services.

• AWS CloudFormation – Helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want and AWS CloudFormation takes care of provisioning and conﬁguring those resources for you. For more information, see Network Firewall resource type reference in the AWS CloudFormation User Guide.

• AWS Tools for Windows PowerShell – Let developers and administrators manage their AWS services and resources in the PowerShell scripting environment. For more information, see the AWS Tools for Windows PowerShell User Guide.

Regions and endpoints for AWS Network Firewall

To reduce data latency in your applications, AWS Network Firewall oﬀers a regional endpoint to make your requests:

https://network-firewall.<region>.amazonaws.com

To view the complete list of AWS Regions where Network Firewall is available, see Service endpoints and quotas in the AWS General Reference.

Pricing for AWS Network Firewall

For detailed information about pricing for Network Firewall, see AWS Network Firewall pricing.

Some configurations can incur additional costs, on top of the basic costs for using Network Firewall. For example, if you use a firewall endpoint in one Availability Zone to filter traffic from another zone, you can incur cross-zone traffic charges. If you enable logging, you incur additional charges according to factors such as the logging destination that you use and the amount of traffic that you choose to log.

AWS Network Firewall quotas

AWS Network Firewall deﬁnes maximum settings and other quotas on the number of Network Firewall resources that you can use. You can request an increase for some of these quotas. For more information, see AWS Network Firewall quotas (p. 103).

(9)

Network Firewall additional resources

AWS Network Firewall additional resources

To get a hands-on introduction to AWS Network Firewall, complete Getting started with AWS Network Firewall (p. 22).

Use the following resources to get additional information and guidance for using AWS Network Firewall.

• AWS discussion forums – A community-based forum for discussing technical questions related to this and other AWS services.

• Getting started resource center – Information to help you get started building on AWS.

• AWS Support center – The home page for AWS Support.

• Contact Us – A central contact point for inquiries concerning billing, accounts, and events.

(10)

How AWS Network Firewall works

AWS Network Firewall is a stateful, managed, network ﬁrewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). You can combine Network Firewall with services and components that you use with your VPC, for example an internet gateway, a NAT gateway, a VPN, or a transit gateway. For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide. You need a VPC to use Network Firewall.

The firewall protects the subnets within your VPC by filtering traffic going between the subnets and locations outside of your VPC. The following example figure depicts the placement of a firewall in a very simple architecture.

To enable the firewall's protection, you modify your Amazon VPC route tables to send your network traffic through the Network Firewall firewall endpoints. For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

(11)

Firewall components

Firewall components in AWS Network Firewall

The AWS Network Firewall firewall runs stateless and stateful traffic inspection rules engines. The engines use rules and other settings that you configure inside a firewall policy.

You install the ﬁrewall endpoints on a per-Availability Zone basis in your VPC. For each Availability Zone where you want an endpoint, you choose a subnet to host it. The ﬁrewall endpoint can protect any subnet in your VPC except for the one in which it's located.

You manage Network Firewall ﬁrewalls with the following central components.

• Rule group – Holds a reusable collection of criteria for inspecting traffic and for handling packets and traffic flows that match the inspection criteria. For example, you can choose to drop or pass a packet or all packets in a traffic flow based on the inspection criteria. Some rule groups fully define the behavior and some use lower-level rules that provide more detail. Rule groups are either stateless or stateful.

For more information about rule groups and rules, see Rule groups in AWS Network Firewall (p. 39).

• Firewall policy – Defines a reusable set of stateless and stateful rule groups, along with some policy- level behavior settings. The firewall policy provides the network traffic filtering behavior for a firewall.

You can use a single firewall policy in multiple firewalls. For more information about firewall policies, see Firewall policies in AWS Network Firewall (p. 34).

• Firewall – Connects the inspection rules in the ﬁrewall policy to the VPC that the rules protect.

Each firewall requires one firewall policy. The firewall additionally defines settings like how to log information about your network traffic and the firewall's stateful traffic filtering. For more information about firewalls, see Firewalls in AWS Network Firewall (p. 30).

High-level steps for implementing a ﬁrewall

To install and use an AWS Network Firewall firewall in your Amazon Virtual Private Cloud VPC, you configure the firewall components and your VPC's subnets and route tables in the following high-level steps.

• Configure the VPC subnets for your firewall endpoints – In your VPC, in each Availability Zone where you want a firewall endpoint, create a subnet specifically for use by Network Firewall. A firewall endpoint can't protect applications that run in the same subnet, so reserve these subnets for exclusive use by the firewall. The subnets that you use for your firewall endpoints must belong to a single AWS Region and must be in different Availability Zones within the Region. Network Firewall is available in the Regions listed at AWS service endpoints.

For information about managing subnets in your VPC, see VPCs and subnets in the Amazon Virtual Private Cloud User Guide.

• Create the firewall – Create a Network Firewall firewall and provide it with the specifications for each of your firewall subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, available to monitor and protect the resources for the subnets whose traffic you send through it.

• Configure the firewall policy – Define the firewall policy for your firewall by specifying its rule groups and other behavior that you want the firewall to provide.

• Modify your VPC route tables to include the ﬁrewall – Using Amazon VPC ingress routing

enhancements, change your routing tables to route traffic through the Network Firewall firewall. These changes must insert the firewall between the subnets that you want to protect and outside locations.

The exact routing that you need to do depends on your architecture and its components.

For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

(12)

Firewall behavior

Firewall behavior in AWS Network Firewall

AWS Network Firewall provides virtual firewalls dedicated to protecting your VPC from attacks. You define and create a firewall, then use it to monitor and protect your subnets. The firewall monitors incoming and outgoing traffic and allows it to pass or drops it, according to your specifications. The firewall only allows packets to pass that pass inspection.

Network Firewall monitors and controls traﬃc to and from your protected subnets

The following figure shows the basic interaction of your firewall with traffic coming into your customer subnet and with traffic going out from your customer subnet.

Network Firewall stateless and stateful rules engines

AWS Network Firewall uses two rules engines to inspect packets. The engines inspect packets according to the rules that you provide in your ﬁrewall policy.

The following figure shows the processing flow for packets coming through the firewall. First the stateless engine inspects the packet against the configured stateless rules. Depending on the packet settings, the stateless inspection criteria, and the firewall policy settings, the stateless engine might drop a packet, pass it through to its destination, or forward it to the stateful rules engine. The stateful engine inspects packets in the context of their traffic flow, using the configured stateful rules. The stateful engine either drops packets or passes them to their destination. Stateful engine activities send flow and alert logs to the firewall's logs, if logging is configured. The stateful engine sends alerts for dropped packets and can optionally send them for passed packets.

(13)

Stateless and stateful rules engines

The stateless and stateful rules inspection engines operate in diﬀerent ways:

• Stateless rules engine – Inspects each packet in isolation, without regard to factors such as the direction of traﬃc, or whether the packet is part of an existing, approved connection. This engine prioritizes the speed of evaluation. It takes rules with standard 5-tuple connection criteria. The engine processes your rules in the order that you prioritize them and stops processing when it ﬁnds a match.

Network Firewall stateless rules are similar in behavior and use to Amazon VPC network access control lists (ACLs).

• Stateful rules engine – Inspects packets in the context of their traffic flow, allows you to use more complex rules, and allows you to log network traffic and to log Network Firewall firewall alerts on traffic. Stateful rules consider traffic direction. The stateful rules engine might delay packet delivery in order to group packets for inspection. By default, the stateful rules engine processes your rules in the order of their action setting, with pass rules processed first, then drop, then alert. The engine stops processing when it finds a match.

The stateful engine takes rules that are compatible with Suricata, an open source intrusion prevention system (IPS). Suricata provides a standard rule-based language for stateful network traﬃc inspection.

For more information about Suricata, see Stateful rule groups in AWS Network Firewall (p. 43) and the Suricata website.

(14)

How Network Firewall ﬁlters network traﬃc

Network Firewall stateful rules are similar in behavior and use to Amazon VPC security groups. By default, the stateful rules engine allows traﬃc to pass, while the security groups default is to deny traﬃc.

Whether you use only one of these engines or a combination depends on your speciﬁc use case.

How AWS Network Firewall ﬁlters network traﬃc

When AWS Network Firewall inspects a packet, it evaluates the packet against the rules in the policy's stateless rule groups ﬁrst, using the stateless rules engine. Then, depending on that inspection and on other settings in the policy, it might evaluate the packets against the rules in the policy's stateful rule groups, using the stateful rules engine.

1. Stateless rules engine

Network Firewall evaluates each packet against the firewall policy's stateless rules until it finds a match or exhausts all of the stateless rules. Network Firewall evaluates the rule groups in the order that they are prioritized in the policy, starting from the lowest setting. Within each rule group, Network Firewall evaluates the rules in the order that they are prioritized in the rule group, starting from the lowest setting. When you create a stateless rule group, you set the priority of the rules in the rule group. When you create a firewall policy, you set the priority of the stateless rule groups in the policy. For more information, see Stateless rule groups in AWS Network Firewall (p. 42) and Firewall policies in AWS Network Firewall (p. 34).

When Network Firewall ﬁnds a match, it handles the packet according to the matching rule's

configuration. You configure a stateless rule to pass the packet through, drop it, or forward it to your stateful rules. Additionally, you can configure a stateless rule to perform a custom action, for example you can publish metrics for the packet to Amazon CloudWatch. For more information, see Rule actions in AWS Network Firewall (p. 57).

2. Default stateless rule actions

If a packet doesn't match any stateless rule, Network Firewall performs the ﬁrewall policy's default stateless rule action for full packet or UDP packet fragment, depending on the packet type. Network Firewall only applies the fragment action setting to UDP packet fragments, and silently drops packet fragments for other protocols. The options for these actions settings are the same as for stateless rules.

For more information, see Stateless default actions in your ﬁrewall policy (p. 35).

3. Stateful rules engine

When Network Firewall forwards a packet to the stateful engine for inspection, it inspects each packet against the stateful rule groups, in the context of the packet's traffic flow. You can configure a stateful rule to pass the packet through, with or without an alert, or drop it and send an alert. Alerts require logging to be configured for the firewall.

The Suricata stateful rules engine controls how the stateful rules in your ﬁrewall policy are processed.

The engine evaluates the packet's traffic flow against the conditions in the policy's stateful rules until it finds a match or exhausts all of the rules. When the engine finds a match, it handles the packet according to the rule's configuration. By default, the Suricata stateful rules engine orders rule processing according to the rule action setting, processing first the rules with pass action, then drop, then alert. For more information, see Rule actions in AWS Network Firewall (p. 57) and the Suricata Action-order documentation.

Depending on the Suricata compatible rules that you provide, the stateful engine might perform deep packet inspection of your traﬃc. Deep packet inspection works on the payload data within your packets, rather than on the header information.

(15)

Route table conﬁgurations

For more information about stateful rules, see Rule groups in AWS Network Firewall (p. 39).

Route table conﬁgurations for AWS Network Firewall

To include the firewall in your Amazon Virtual Private Cloud VPC, you modify the VPC route tables so that the traffic that you want the firewall to filter passes through the firewall endpoints. Exactly how you do this depends on your architecture and the traffic that you want to filter. For example, to filter all traffic between an internet gateway and your customer subnets, you redirect incoming traffic from the internet gateway and outgoing traffic from the customer subnets through the firewall endpoint.

For descriptions of common architectures for AWS Network Firewall, with example route table conﬁgurations, see AWS Network Firewall example architectures with routing (p. 10).

AWS Network Firewall example architectures with routing

This section provides a high-level view of simple architectures that you can conﬁgure with AWS Network Firewall and shows example route table conﬁgurations for each. For additional information and

examples, see Deployment models for AWS Network Firewall.

NoteFor information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

Unsupported architectures

The following lists architectures and traﬃc types that Network Firewall doesn't support:

• VPC peering.

• Virtual private gateways.

• Inspection of AWS Global Accelerator traﬃc.

• Inspection of AmazonProvidedDNS traﬃc for Amazon EC2.

Simple single zone architecture with an internet gateway

This topic provides a high-level view of a simple VPC configuration using an internet gateway and AWS Network Firewall. It describes the basic route table modifications that are required to use the firewall.

Single zone architecture with internet gateway and no ﬁrewall

The following figure depicts a simple VPC configuration with a single customer subnet, and no firewall.

The VPC has an internet gateway for internet access. All incoming and outgoing traﬃc routes through the internet gateway to the subnet.

(16)

Single zone internet gateway

Single zone architecture with internet gateway and the Network Firewall ﬁrewall

The following figure depicts a simple VPC configuration with the firewall and the subnet association in place. The VPC has an internet gateway for internet access. All incoming and outgoing traffic for the VPC routes through the firewall.

(17)

To include the firewall in your Amazon Virtual Private Cloud VPC, you need to modify the VPC route tables so that traffic between the customer subnets and the internet passes through the firewall, for both incoming and outgoing traffic.

NoteFor information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

Example route tables in the single zone architecture with no ﬁrewall

The following figure depicts the route tables that provide the correct flow of traffic for a single Availability Zone without a firewall:

(18)

In the preceding figure, the route tables enforce the following traffic flows:

• Internet gateway route table – Routes traﬃc that's destined for the customer subnet (range

10.0.2.0/24) to local. The customer subnet shows the private IP address range behind the publicly assigned address. The subnet has public addresses assigned, which are either auto-generated or assigned via Elastic IP address. Within a VPC, only private IP addresses are used for communication.

• Customer subnet route table – Routes traﬃc that's destined for anywhere inside the VPC

(10.0.0.0/16) to the local address. Routes traﬃc that's destined for anywhere else (0.0.0.0/0) to the internet gateway (igw-1232).

Example route tables in the single zone architecture with the ﬁrewall

The following figure depicts the same installation with the Network Firewall firewall added and the route tables changed to include the firewall. The route tables direct traffic between the customer subnet and the internet gateway through the firewall endpoint:

(19)

In the preceding figure, the route tables enforce the following traffic flows:

• Internet gateway route table – Routes traffic that's destined for the customer subnet (range 10.0.2.0/24) to the firewall subnet (named vpce-4114 in the figure). The customer subnet shows the private IP address range behind the publicly assigned address. The subnet has public addresses assigned, which are either auto-generated or assigned via Elastic IP address. Within a VPC, only private IP addresses are used for communication.

• Firewall subnet route table – Routes traﬃc that's destined for anywhere inside the VPC

(10.0.0.0/16) to the local address. Routes traﬃc that's destined for anywhere else (0.0.0.0/0) to the internet gateway (igw-1232).

• Customer subnet route table – Routes traﬃc that's destined for anywhere inside the VPC

(10.0.0.0/16) to the local address. Routes traﬃc that's destined for anywhere else (0.0.0.0/0) to the ﬁrewall subnet (vpce-4114).

Before the ﬁrewall inclusion, the customer subnet route table routed the 0.0.0.0/0 traﬃc to igw-1232.

(20)

Multi zone internet gateway

Multi zone architecture with an internet gateway

This topic provides a high-level view of a simple two zone VPC configuration using an internet gateway and AWS Network Firewall. It describes the basic route table modifications that are required to use the Network Firewall firewall.

Two zone architecture with internet gateway and the Network Firewall ﬁrewall

The following figure depicts a Network Firewall configuration for a VPC that spans multiple Availability Zones. In this case, each Availability Zone that the VPC spans has a firewall subnet and a customer subnet. The VPC has an internet gateway for internet access. All incoming traffic for the VPC routes to the firewall in the same Availability Zone as the destination customer subnet. All outgoing traffic routes through the firewalls.

Route tables in the two zone architecture with the ﬁrewall

The following figure depicts a VPC configuration with two Availability Zones. Each zone has its own Network Firewall firewall, which provides monitoring and protection for the subnets in the zone. You can expand this configuration to any number of zones in your VPC.

(21)

Multi zone internet gateway

In the preceding figure, the route tables enforce similar traffic flows to the single Availability Zone model, with the primary difference being the splitting of incoming traffic by the internet gateway, to accommodate the two different customer subnets:

• Internet gateway route table – Routes traﬃc that's destined for each customer subnet (range 10.0.2.0/24 or 10.0.3.0/24) to the ﬁrewall subnet in the same Availability Zone (vpce-4114 or vpce-5588, respectively).

• Firewall subnet route tables – Route traﬃc that's destined for anywhere inside the VPC

(10.0.0.0/16) to the local address. Route traﬃc that's destined for anywhere else (0.0.0.0/0) to the internet gateway (igw-1232). These are identical to the route table for the ﬁrewall subnet in the single Availability Zone.

• Customer subnet route tables – Route traﬃc that's destined for anywhere inside the VPC

(10.0.0.0/16) to the local address. Route traﬃc that's destined for anywhere else (0.0.0.0/0) to the ﬁrewall subnet in the same Availability Zone (vpce-4114 for zone AZ1 and vpce-5588 for zone AZ2).

(22)

Internet gateway and NAT gateway

Architecture with an internet gateway and a NAT gateway

You can add a network address translation (NAT) gateway to your AWS Network Firewall architecture, for the areas of your VPC where you need NAT capabilities. AWS provides NAT gateways decoupled from your other cloud services, so you can use it in your architecture only where you need it. This can help you reduce load and load costs. For information about NAT gateways, see NAT gateways in the Amazon Virtual Private Cloud User Guide.

The following ﬁgure depicts a VPC conﬁguration for Network Firewall with an internet gateway and a NAT gateway.

(23)

Get an AWS account and your root user credentials

Setting up AWS Network Firewall

This topic describes preliminary steps, such as getting an AWS account, to prepare you to use Network Firewall. You aren't charged to set up your account or for the other preliminary items. You are charged only for AWS services that you use.

NoteNetwork Firewall is a network traﬃc ﬁrewall for your Amazon Virtual Private Cloud VPCs. If you're already working with VPCs, the setup described here shouldn't be necessary.

After you complete these steps, see Getting started with Network Firewall (p. 22) to continue getting started with Network Firewall.

Before you use Network Firewall for the ﬁrst time, check that you've completed the following tasks:

• Creating an IAM user (p. 18)

• Signing in as an IAM user (p. 19)

• Creating IAM user access keys (p. 20)

• Setting up tool access (p. 20)

Get an AWS account and your root user credentials

To access AWS, you must sign up for an AWS account.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

AWS sends you a conﬁrmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Creating an IAM user

If your account already includes an IAM user with full AWS administrative permissions, you can skip this section.

When you ﬁrst create an Amazon Web Services (AWS) account, you begin with a single sign-in identity.

That identity has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. When you sign in, enter the email address and password that you used to create the account.

Important

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create

(24)

Signing in as an IAM user

your ﬁrst IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see Tasks that require root user credentials.

To create an administrator user for yourself and add the user to an administrators group (console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

NoteWe strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

2. In the navigation pane, choose Users and then choose Add user.

3. For User name, enter Administrator.

4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

6. Choose Next: Permissions.

7. Under Set permissions, choose Add user to group.

8. Choose Create group.

9. In the Create group dialog box, for Group name enter Administrators.

10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.

11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

NoteYou must activate IAM user and role access to Billing before you can use the

AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

13. Choose Next: Tags.

14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources, see Access management and Example policies.

Signing in as an IAM user

Sign in to the IAM console by choosing IAM user and entering your AWS account ID or account alias. On the next page, enter your IAM user name and your password.

NoteFor your convenience, the AWS sign-in page uses a browser cookie to remember your IAM user name and account information. If you previously signed in as a diﬀerent user, choose the sign-in

(25)

Creating IAM user access keys

link beneath the button to return to the main sign-in page. From there, you can enter your AWS account ID or account alias to be redirected to the IAM user sign-in page for your account.

Creating IAM user access keys

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself.

The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.

To create access keys for an IAM user

1. Sign in to the AWS Management Console and open the IAM console at https://

console.aws.amazon.com/iam/.

2. In the navigation pane, choose Users.

3. Choose the name of the user whose access keys you want to create, and then choose the Security credentials tab.

4. In the Access keys section, choose Create access key.

5. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:

• Access key ID: AKIAIOSFODNN7EXAMPLE

• Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRﬁCYEXAMPLEKEY

6. To download the key pair, choose Download .csv ﬁle. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.

Keep the keys conﬁdential in order to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

7. After you download the .csv ﬁle, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

Related topics

• What is IAM? in the IAM User Guide

• AWS security credentials in AWS General Reference

Setting up tool access

The AWS Management Console includes a console for Network Firewall, but if you want to access Network Firewall programmatically or through the command line, the following documentation and tools will help you:

• If you want to call the Network Firewall API without handling low-level details like assembling raw HTTP requests, you can use an AWS SDK. The AWS SDKs provide functions and data types that encapsulate the functionality of Network Firewall and other AWS services. To download an AWS SDK, see the applicable page, which also includes prerequisites and installation instructions:

(26)

Setting up tool access

• Java

• JavaScript

• .NET

• Node.js

• PHP

• Python

• Ruby

For a complete list of AWS SDKs, see Tools for Amazon Web Services.

• If you're using a programming language for which AWS doesn't provide an SDK, the AWS Network Firewall API Reference documents the operations that Network Firewall supports.

• The AWS Command Line Interface (AWS CLI) supports Network Firewall. The AWS CLI lets you control multiple AWS services from the command line and automate them through scripts. For more information, see AWS Command Line Interface.

• AWS Tools for Windows PowerShell supports Network Firewall. For more information, see AWS Tools for PowerShell Cmdlet Reference.

(27)

Before you begin

Getting started with AWS Network Firewall

AWS Network Firewall provides network traffic filtering protection for your Amazon Virtual Private Cloud VPCs. This tutorial provides steps for getting started with Network Firewall using the AWS Management Console. You can also use Network Firewall API operations to create and manage your firewalls. For more information about working with Network Firewall API operations, see the AWS Network Firewall API Reference.

Topics

• Before you begin (p. 22)

• Step 1: Create rule groups (p. 23)

• Step 2: Create a ﬁrewall policy (p. 24)

• Step 3: Create a ﬁrewall (p. 24)

• Step 4: Update your Amazon VPC route tables (p. 25)

• Step 5: Remove the ﬁrewall and clean up your resources (p. 26)

Before you begin

This tutorial walks you through conﬁguring and implementing an AWS Network Firewall ﬁrewall for a VPC with a basic internet gateway architecture, like the one depicted at Simple single zone architecture with an internet gateway (p. 10).

To follow this tutorial, you'll need a test VPC where you want to implement a network ﬁrewall.

Additionally, you must know how to manage the subnets and route tables in your VPC.

• For information about managing subnets in your VPC, see VPCs and subnets in the Amazon Virtual Private Cloud User Guide.

• For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

The test VPC that you use for this tutorial must have the following conﬁguration in one Region:

• An internet gateway.

• A customer subnet.

• Routing configured to send inbound traffic from the internet gateway to the subnet and to send the subnet's outbound traffic to the internet gateway.

• A second subnet to use as the ﬁrewall subnet. This subnet must not be used for other purposes and must have at least one available IP address. You'll select the Availability Zone and subnet ID when you create the ﬁrewall.

If you have a diﬀerent architecture that you'd like to add a ﬁrewall to, you can adjust the guidance in this tutorial accordingly. Network Firewall doesn't support some VPC architectures. For information, see AWS Network Firewall example architectures with routing (p. 10).

(28)

Step 1: Create rule groups

Rule groups are reusable collections of network filtering rules that you use to configure firewall behavior.

In this step, you create a stateless rule group and a stateful rule group. For information about rule groups, see Rule groups (p. 39).

To create a stateless rule group

1. Sign in to the AWS Management Console and open the Amazon VPC console at https://

console.aws.amazon.com/vpc/.

2. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.

3. Choose Create rule group.

4. In the Create rule group page, for the Rule group type, choose Stateless rule group.

5. Enter the name that you want for the rule group. You'll use the name to identify the rule group when you add it to your ﬁrewall policy later in the tutorial. You can't change the name of a rule group after you create it.

6. For Capacity, enter 10.

7. Enter the following rule speciﬁcations to create a stateless rule that blocks all packets coming from the source IP address CIDR range 192.0.2.0/24:

a. Set the priority to 10.

b. Leave the protocol setting at All.

c. For the source address, specify 192.0.2.0/24.

d. Leave the source port at Any.

e. Set the destination address to Any.

f. For the action, choose Drop.

g. Choose Add rule. Your rule is added to the Rules list.

8. Review the settings for the rule group, then choose Create rule group.

Your new rule group is added to the list in the Rule groups page.

To create a stateful rule group

1. From the Rule groups page, choose Create rule group.

2. In the Create rule group page, for the Rule group type, choose Stateful rule group.

3. Enter a name for the stateful rule group.

4. For Capacity, enter 10.

5. Choose the stateful rule group configuration option Import Suricata compatible rules. The entry form for Suricata compatible IPS rules appears. Copy and paste the following Suricata rule into the text box. This rule drops TLS traffic for a specific target domain:

drop tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"evil.com"; startswith;

nocase; endswith; msg:"matching TLS denylisted FQDNs"; priority:1; flow:to_server, established; sid:1; rev:1; gid:255;)

6. Choose Add rule. Your rule is added to the Rules list for the rule group.

7. Review the settings for the rule group, then choose Create rule group.

Your stateless rule group and your stateful rule group are listed in the Rule groups page. You can now use these rule groups in your ﬁrewall policies.

(29)

Step 2: Create a ﬁrewall policy

Firewall policies use rule groups and other settings to define the traffic filtering behavior for a firewall.

In this procedure, you'll create a policy using the rule groups that you created in the previous step. For information about ﬁrewall policies, see Firewall policies in AWS Network Firewall (p. 34).

To conﬁgure a ﬁrewall policy

2. In the navigation pane, under Network Firewall, choose Firewall policies.

3. In the Firewall policies page, choose Create ﬁrewall policy.

4. Enter the name that you want to use for the firewall policy. You'll use the name to identify the policy when you associate it with your firewall later in the tutorial. You can't change the name of a firewall policy after you create it.

5. Choose Next to go to the ﬁrewall policy's Add rule groups page.

6. In the Stateless rule groups section, choose Add rule groups, then select the check box for the stateless rule group that you created in the prior procedure. Choose Add rule groups. At the bottom of the page, the ﬁrewall policy's capacity counter shows the capacity consumed by adding this rule group next to the maximum capacity allowed for a ﬁrewall policy.

7. Your stateless rule group blocks some incoming traﬃc. In the stateless default actions, you choose what to do with the rest of the traﬃc. For this tutorial, we'll forward it to the stateful engine. Use the same default action for packets and packet fragments. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. Set the action to Forward to stateful rules.

8. In the Stateful rule groups section, choose Add rule groups, then select the check box for the stateful rule group that you created in the prior procedure. Choose Add rule groups.

9. Choose Next then Next again to proceed through the tagging option and to the Review and create page. From this page, you can choose Edit for any area to return to the corresponding page in the ﬁrewall policy creation wizard.

10. Choose Create ﬁrewall policy.

Your new firewall policy is added to the list in the Firewall policies page. You can now use your firewall policy in your firewalls.

Step 3: Create a ﬁrewall

Firewalls associate the traffic filtering behavior of a firewall policy with the VPC where you want to filter traffic. In this procedure, you'll create a firewall using the firewall policy that you created in the previous step. For information about firewalls, see Firewalls in AWS Network Firewall (p. 30).

To create a ﬁrewall

2. In the navigation pane, under Network Firewall, choose Firewalls.

3. Choose Create ﬁrewall.

4. For Name, enter the name that you want to use to identify this ﬁrewall. You can't change the name of a ﬁrewall after you create it.

(30)

Step 4: Update Amazon VPC route tables

5. For VPC, select your VPC from the dropdown.

6. For Availability Zone and Subnet, select the zone and ﬁrewall subnet that you identiﬁed in Before you begin (p. 22).

7. For Associated firewall policy, choose Associate an existing firewall policy, then select the firewall policy that you created in the prior procedure.

Your new firewall is listed in the Firewalls page. You've configured the firewall's behavior with the firewall policy and rule groups, and your firewall has an endpoint that's running in your VPC, ready to filter network traffic.

The next step is to route the VPC's network traffic through the firewall endpoint. You'll insert it into the traffic flow between the internet gateway and your customer subnet.

Step 4: Update your Amazon VPC route tables

After you create your firewall, you insert its firewall endpoint into your Amazon Virtual Private Cloud network traffic flow, in between your internet gateway and your customer subnet. You create routing for the firewall endpoint so that it forwards traffic between the internet gateway and your subnet. Then, you update the route tables for your internet gateway and your subnet, to send traffic to the firewall endpoint instead of to each other.

This procedure covers the high-level steps for route table management. For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

To modify your route tables to insert a ﬁrewall endpoint between your internet gateway and your subnet

1. Review your routing for the internet gateway and for your customer subnet, to determine the components used to route traﬃc between the two.

Record the current settings. You'll use them to reverse your changes at the end of the tutorial.

• The internet gateway's route table typically has an entry with a destination set to your customer subnet's CIDR block and a target of local.

• The subnet's route table typically has an entry with a destination set to 0.0.0.0/0 and a target set to the internet gateway ID.

2. Create a route table conﬁguration for the ﬁrewall endpoint with the following two routes:

• An entry that matches the internet gateway's route speciﬁcation for traﬃc going to the customer subnet's CIDR block.

• An entry that matches the subnet's route speciﬁcation for traﬃc going to the internet gateway.

The firewall endpoint is now ready to filter and forward traffic between the internet gateway and the customer subnet. The endpoint only forwards traffic to its intended destination if it passes the inspection criteria that you defined in the rule groups and firewall policy.

3. Update the internet gateway's routing to modify the entry with a destination set to your customer subnet's CIDR block. Change the target to the ﬁrewall endpoint ID.

4. Update the customer subnet routing to modify the entry with a destination set to the internet gateway ID. Change the target to the ﬁrewall endpoint ID.

The firewall endpoint is now filtering all traffic between your internet gateway and customer subnet.

(31)

Step 5: Remove the ﬁrewall and clean up your resources

You've now successfully completed the tutorial. To remove the ﬁrewall endpoint from your VPC and prevent your account from accruing AWS Network Firewall charges for the tutorial resources, revert your route table changes and clean up the Network Firewall resources that you created.

To modify your route tables to remove the ﬁrewall

1. Return the internet gateway and subnet route tables to the configurations they had at the start of the prior procedure. This stops traffic from routing to the firewall endpoint.

2. Remove the route table conﬁguration for the ﬁrewall endpoint.

To remove the Network Firewall resources

3. In the Firewalls page, select the ﬁrewall that you created for the tutorial.

4. Choose Delete, and then conﬁrm your request.

5. In the navigation pane, under Network Firewall, choose Firewall policies.

6. In the Firewall policies page, select the ﬁrewall policy that you created for the tutorial.

7. Choose Delete, and conﬁrm your request.

8. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.

9. In the Rule group page, select the name of the rule groups that you created for the tutorial, and then choose Delete.

You've successfully removed the firewall from your VPC traffic flow and removed all of the Network Firewall resources that you created for this tutorial.

(32)

VPC subnets

Conﬁguring your VPC and other components for AWS Network Firewall

This section describes the changes that you must make in your VPC conﬁguration and other components to use AWS Network Firewall. For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide.

For examples of architectures that are supported by Network Firewall, see Architecture and routing examples (p. 10).

Unsupported architectures

The following lists architectures and traﬃc types that Network Firewall doesn't support:

• VPC peering.

• Virtual private gateways.

• Inspection of AWS Global Accelerator traﬃc.

• Inspection of AmazonProvidedDNS traﬃc for Amazon EC2.

Topics

• VPC subnet conﬁguration for AWS Network Firewall (p. 27)

• VPC route table conﬁguration for AWS Network Firewall (p. 28)

• Transit gateway attachment conﬁguration for AWS Network Firewall (p. 28)

VPC subnet conﬁguration for AWS Network Firewall

When you associate a firewall to your VPC, you must provide a subnet for each Availability Zone where you want to place a firewall endpoint to filter traffic. A common configuration is to have a firewall endpoint in each zone where you have customer subnets that you want to protect, but you can also have a firewall endpoint filter traffic from multiple zones. When you create the firewall, Network Firewall adds a firewall endpoint to each of the designated subnets. Each firewall endpoint uses the firewall's associated firewall policy configuration to filter traffic that you route through it.

To prepare your VPC for your Network Firewall ﬁrewall, in each Availability Zone where you want a ﬁrewall endpoint, create a subnet for the endpoint. Each subnet must have at least one IP address available and a non-zero size.

NoteReserve these firewall subnets for the exclusive use of Network Firewall. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't place other applications in the firewall endpoint subnets.

For information about managing subnets in your VPC, see VPCs and subnets in the Amazon Virtual Private Cloud User Guide.

(33)

VPC route tables

When you create your Network Firewall firewall, you must provide at least one zone and subnet for the firewall configuration. You can add and remove subnets after you create a firewall.

VPC route table conﬁguration for AWS Network Firewall

After you create your firewall, you reroute your VPC network traffic through the firewall endpoints so they can start filtering traffic. Perform the following steps:

1. Review the route table configurations in your VPC Availability Zones for the subnets that you want to protect and for any location that sends traffic to the subnets or receives traffic from them.

2. Determine which traffic you want the firewall to filter and insert your firewall endpoints into the traffic flow. Update the route tables for both directions of traffic flow, if you want to filter incoming and outgoing traffic.

For example, suppose you wanted to filter traffic that's currently routed between a customer subnet and an internet gateway. You would update your route table configuration as follows to insert a firewall endpoint into the traffic flow:

1. Change the customer subnet route table so that it directs internet-bound traﬃc to the ﬁrewall endpoint.

2. Change the internet gateway route table so that it directs traﬃc that's bound for the customer subnet to the ﬁrewall endpoint.

3. Create a route table for the firewall endpoint so that it directs internet-bound traffic to the internet gateway and directs traffic that's bound for any destination inside the VPC to the destination specification local.

In this way, the firewall endpoint sits between the customer subnet and the internet gateway and can filter all incoming and outgoing traffic for the customer subnet.

For an overview of common Network Firewall architectures, with example route table conﬁgurations, see Architecture and routing examples (p. 10).

Transit gateway attachment conﬁguration for AWS Network Firewall

This section applies to the use of Network Firewall with a transit gateway in multiple Availability Zones where the firewall endpoints might reside in different Availability Zones than the subnets whose traffic they're filtering.

NoteTo use this conﬁguration, you must enable appliance mode on the transit gateway VPC attachment for any VPC where Network Firewall endpoints reside.

A Network Firewall endpoint is a stateful network appliance. Enabling appliance mode ensures that the transit gateway continues to use the same Availability Zone for the VPC attachment over the lifetime of a ﬂow of traﬃc between source and destination.

(34)

Transit gateway attachments

For information about VPC transit gateways, see the guide Amazon Virtual Private Cloud Transit Gateways.

For information about appliance mode and how to enable it in your attachments, see Availability Zones and Example: Appliance in a shared services VPC.

(35)

Firewall settings

Firewalls in AWS Network Firewall

An AWS Network Firewall firewall connects a firewall policy, which defines network traffic monitoring and filtering behavior, to the VPC that you want to protect. The firewall configuration includes specifications for the Availability Zones and subnets where the firewall endpoints are placed. It also defines high-level settings like the firewall logging configuration and tagging on the AWS firewall resource.

Topics

• Firewall settings (p. 30)

• Managing your ﬁrewall in AWS Network Firewall (p. 30)

Firewall settings

A ﬁrewall has the following top-level settings.

• Name – The identifier for the firewall. You assign a unique name to every firewall. You can't change the name of a firewall after you create it.

• Description – Optional additional information about the firewall. Fill in any information that might help you remember the purpose of the firewall and how you want to use it. The description is included in firewall lists in the console and through the APIs.

• VPC – The VPC that's associated with the ﬁrewall. This is the VPC that the ﬁrewall provides protection for.

• Subnets – The subnets to use for your ﬁrewall endpoints. You can specify up to one subnet for each Availability Zone that your VPC spans. See Conﬁguring your VPC and other components for AWS Network Firewall (p. 27).

• Firewall policy – The firewall policy that's associated with the firewall. The firewall policy provides the monitoring and protection behavior for the firewall. You can use the same firewall policy for more than one firewall. For more information about firewall policies, see Firewall policies in AWS Network Firewall (p. 34).

• Logging – The type and location of the logs that Network Firewall provides for the firewall's stateful rules engine. You can enable flow logging for the network traffic that passes through the stateful rules engine. You can also enable alert logging for traffic that matches the stateful rules that have an action setting of Alert or Drop. For more information, see Logging network traffic from AWS Network Firewall (p. 85), and Stateful actions (p. 57).

• Tags – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and ﬁlter your resources and to track your AWS costs. For more information, see Tagging AWS Network Firewall resources (p. 101).

• Delete protection – A Boolean setting that is enabled when you create a firewall, and protects against accidental deletion of the firewall. The setting isn't shown in the console because the firewall deletion process disables this protection. Through the API, you must explicitly disable delete protection before you can delete the firewall.

Managing your ﬁrewall in AWS Network Firewall

This section describes how to create, update, and delete your ﬁrewall in AWS Network Firewall.

How Network Firewall propagates your changes

(36)

Creating a ﬁrewall

When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.

When you update rules in a stateful rule group and the updates don't change the rule order, Network Firewall propagates the new rules without stopping and restarting the service. This minimizes service disruption for traffic flows that are already established. If the update does change from one rule order to another, the existing flows are still disrupted.

Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets.

Topics

• Creating a ﬁrewall (p. 31)

• Updating a ﬁrewall (p. 32)

• Deleting a ﬁrewall (p. 32)

Creating a ﬁrewall

To follow this procedure, the VPC that you want to protect must have at least one subnet available to host a ﬁrewall endpoint. For information, see VPC subnets (p. 27).

To create a ﬁrewall through the console

4. Enter a Name to identify this ﬁrewall.

NoteYou can't change the name after you create the ﬁrewall.

5. (Optional) Enter a Description for the ﬁrewall.

6. Choose your VPC from the dropdown list.

NoteYou can't change the VPC after you create the ﬁrewall.

7. For Firewall subnets, choose the Availability Zones and subnets that you want to use for your ﬁrewall endpoints. You can choose up to one subnet for each Availability Zone that your VPC spans.

The subnets should be dedicated for Network Firewall ﬁrewall use. For more information, see VPC subnets (p. 27).

8. For the Associated firewall policy section, choose the firewall policy that you want to associate with the firewall. If you already have a firewall policy defined, you can select it. Otherwise, you can associate an empty policy, which you must name permanently here. If you associate an empty policy, Network Firewall creates the policy and you can define its rules and other settings using the procedure at Updating a firewall policy (p. 37).

9. (Optional) For the Firewall tags - optional section, assign key-value tags to your ﬁrewall.

For information about tagging your AWS resources, see Tagging AWS Network Firewall resources (p. 101).

AWS Network Firewall

AWS Network Firewall

Developer Guide

AWS Network Firewall: Developer Guide

Table of Contents

What is AWS Network Firewall?

AWS Network FirewallAWS resources

AWS Network Firewall concepts

Accessing AWS Network Firewall

Regions and endpoints for AWS Network Firewall

Pricing for AWS Network Firewall

AWS Network Firewall quotas

AWS Network Firewall additional resources

How AWS Network Firewall works

Firewall components in AWS Network Firewall

High-level steps for implementing a ﬁrewall

Firewall behavior in AWS Network Firewall

Network Firewall stateless and stateful rules engines

How AWS Network Firewall ﬁlters network traﬃc

Route table conﬁgurations for AWS Network Firewall

AWS Network Firewall example architectures with routing

Simple single zone architecture with an internet gateway

Multi zone architecture with an internet gateway

Architecture with an internet gateway and a NAT gateway

Setting up AWS Network Firewall

Get an AWS account and your root user credentials

Creating an IAM user

Signing in as an IAM user

Creating IAM user access keys

Setting up tool access

Getting started with AWS Network Firewall

Before you begin

Step 1: Create rule groups

Step 2: Create a ﬁrewall policy

Step 3: Create a ﬁrewall

Step 4: Update your Amazon VPC route tables

Step 5: Remove the ﬁrewall and clean up your resources

Conﬁguring your VPC and other components for AWS Network Firewall

VPC subnet conﬁguration for AWS Network Firewall

VPC route table conﬁguration for AWS Network Firewall

Transit gateway attachment conﬁguration for AWS Network Firewall

Firewalls in AWS Network Firewall

Firewall settings

Managing your ﬁrewall in AWS Network Firewall

Creating a ﬁrewall