Security

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain Filtering

Control VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.

約 3 分で読めます

Network Firewall's Role and How It Differs from Security Groups

Network Firewall is a managed firewall service that inspects traffic inline within a VPC. While security groups are limited to L3/L4 filtering at the ENI level, Network Firewall provides L7 application protocol inspection, domain-based filtering, and IDS/IPS signature matching. It is deployed in a dedicated firewall subnet, with route tables directing traffic through the firewall endpoint. By placing it between the internet gateway and workload subnets, you can inspect both inbound and outbound traffic.

Rule Design and Domain Filtering

Stateless rules match on 5-tuples (source/destination IP, source/destination port, protocol) and specify pass, drop, or forward to stateful rules. Stateful rules track connection state and allow writing L7 inspection rules in Suricata-compatible format. Domain list filtering inspects the HTTP Host header or TLS SNI (Server Name Indication) to perform filtering based on allow lists or deny lists. Controlling outbound traffic with an allow-list approach, permitting communication only to domains required for business operations, is effective for preventing data exfiltration.

Managed Rules and Operations

AWS Managed Rule Groups are rule sets containing known threat signatures that AWS automatically updates. They cover malware C2 communication patterns, known malicious domains, and common attack signatures. Firewall logs can be sent to CloudWatch Logs, S3, or Kinesis Data Firehose, with alert logs (traffic matching rules) and flow logs (all traffic) stored separately. Using Firewall Manager, you can apply unified firewall policies across all accounts in an Organizations setup, with policies automatically applied when new accounts or VPCs are created. For those who want to systematically learn about network security, related books (Amazon) can also be helpful.

Network Firewall Pricing

Network Firewall pricing consists of hourly charges for firewall endpoints and data processing volume. An endpoint costs approximately $0.395/hour per AZ (about $284/month), and multi-AZ configurations incur costs for each AZ. Data processing costs approximately $0.065 per GB. For a 2-AZ configuration processing 1 TB of traffic per month, the monthly cost is approximately $633 (endpoints $568 + data processing $65). Optimize costs by using security groups and NACLs for filtering that does not require Network Firewall, and routing only traffic that needs L7 inspection through Network Firewall.

Summary

Network Firewall is a managed firewall that provides L7-level traffic inspection beyond what security groups can handle. It delivers advanced threat protection through domain filtering and Suricata-compatible rules, and Firewall Manager enables unified policy enforcement across the entire organization.

Related Services

AWS Network FirewallA managed firewall service for fine-grained control of VPC network trafficAmazon VPCBuild a logically isolated virtual network on AWSAWS Firewall ManagerA service for centrally managing firewall rules across your entire AWS Organization

Related Articles

Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.Zero Trust Access with AWS Verified Access - VPN-Free Application ConnectivityEliminate VPNs and achieve zero trust access that verifies user identity and device security posture on every request. Learn about fine-grained control with Cedar policies.AWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover ProtectionDetect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.AWS Network FirewallA managed network firewall service that performs stateful inspection of VPC traffic for intrusion prevention and domain filteringCentralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.