AWS Network Firewall

AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC).

The AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all your Amazon Virtual Private Clouds, and you can then use domain list rules to block HTTP or HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets.

With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection. Network Firewall supports Suricata compatible rules. For more information, see

Working with stateful rule groups in AWS Network Firewall⁠

You can use Network Firewall to monitor and protect your Amazon VPC traffic in a number of ways, including the following:

Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3.

Use custom lists of known bad domains to limit the types of domain names that your applications can access.

Perform deep packet inspection on traffic entering or leaving your VPC.

Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.

Rule groups in AWS Network Firewall

An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. You add one or more rule groups to a firewall policy as part of policy configuration. For more information about firewall policies and firewalls, see

Firewall policies in AWS Network Firewall⁠

and

Firewalls in AWS Network Firewall⁠

You can use your own rule groups and you can use rule groups that are managed for you by AWS.

Network Firewall rule groups are either stateless or stateful. Stateless rule groups evaluate packets in isolation, while stateful rule groups evaluate them in the context of their traffic flow. You can create and manage the following categories of rule groups in Network Firewall:

Stateless – Defines standard network connection attributes for examining a packet on its own, with no additional context.

Stateful – Defines criteria for examining a packet in the context of traffic flow and of other traffic that's related to the packet.

Network Firewall uses a Suricata rules engine to process all stateful rules. You can write any of your stateful rules in Suricata compatible format. Alternately, for domain list rules and for very basic rules, you can use an easy entry form provided by Network Firewall.

Stateful rule groups are available in the following categories:

Suricata compatible rule strings – Provides match and action settings, in Suricata compatible format. You can provide all of your stateful rules through this method if you want to.

Domain list – Defines a list of domain names and specifies the protocol type to inspect.

Standard stateful rules – Defines standard network connection attributes for examining a packet within the context of a traffic flow.

Depending on the type of rule group, you might also define rules inside the rule group. Rules provide detailed criteria for packet inspection and specify what to do when a packet matches the criteria. When Network Firewall finds a match between the criteria and a packet, we say that the packet matches the rule group.

This section provides guidance for creating and managing your own rule groups.

⁠

Loading docs.aws.amazon.com⁠

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.