🔶
AWS Network Firewall
Purpose
- Fully managed firewall for entire VPC protection from Layer 3 (network) to Layer 7 (application).
- Secures traffic within and entering/leaving a VPC.
Traffic Coverage
- VPC ↔ VPC (via peering or Transit Gateway)
- Hybrid connectivity via Direct Connect or Site-to-Site VPN
Architecture
- Deployed in a dedicated subnet inside the VPC
- Uses AWS Gateway Load Balancer under the hood for scalability/high availability
- Can be managed centrally with AWS Firewall Manager for multi-account environments
Rule Capabilities
- IP & Port filtering – block/allow traffic from large IP sets
- Protocol filtering – block specific protocols (e.g., SMB)
- Stateful domain list rules – restrict access to certain FQDNs (
.example.com)
- Regex pattern matching – inspect payloads for sensitive data patterns
- Actions: allow, drop, alert
- Intrusion prevention: active flow inspection with threat blocking
Logging
- Send rule match logs to:
- S3
- CloudWatch Logs
- Kinesis Data Firehose
Best Use Cases
- Centralized, deep traffic inspection
- Threat prevention for hybrid and multi-VPC architectures
- Policy consistency across multiple accounts