VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain Filtering

Control VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.

Network Firewall's Role and How It Differs from Security Groups

Network Firewall is a managed firewall service that inspects traffic inline within a VPC. While security groups are limited to L3/L4 filtering at the ENI level, Network Firewall provides L7 application protocol inspection, domain-based filtering, and IDS/IPS signature matching. It is deployed in a dedicated firewall subnet, with route tables directing traffic through the firewall endpoint. By placing it between the internet gateway and workload subnets, you can inspect both inbound and outbound traffic. Unlike on-premises next-generation firewalls from vendors such as Palo Alto Networks or Fortinet, Network Firewall eliminates hardware procurement and firmware management as a fully managed service.

Rule Design and Domain Filtering

Stateless rules match on 5-tuples (source/destination IP, source/destination port, protocol) and specify pass, drop, or forward to stateful rules. They are suited for high-speed processing of large traffic volumes. Stateful rules track connection state and support three formats: Suricata-compatible IPS rules, domain list rules, and 5-tuple rules. Domain list filtering inspects the HTTP Host header or TLS SNI (Server Name Indication) to perform filtering based on allow lists or deny lists. TLS SNI inspection enables domain filtering even for encrypted HTTPS traffic. Controlling outbound traffic with an allow-list approach, permitting communication only to domains required for business operations, is effective for preventing data exfiltration.

Multi-Layer Defense Architecture with WAF

Combining Network Firewall with AWS WAF enables comprehensive multi-layer defense from the network layer to the application layer. Network Firewall operates at the VPC subnet level and inspects all inbound/outbound traffic. WAF operates in front of CloudFront, ALB, and API Gateway, providing application-layer protection through SQL injection, XSS, and rate-based rules. A centralized firewall architecture using Transit Gateway aggregates traffic from multiple VPCs to a single Network Firewall endpoint, applying unified security policies.

Managed Rules and Organization-Wide Governance

AWS Managed Rule Groups are rule sets containing known threat signatures that AWS automatically updates. They cover malware C2 communication patterns, known malicious domains, and botnet communication patterns. Firewall Manager enables unified firewall policy enforcement across all accounts in an Organizations setup, with policies automatically applied when new accounts or VPCs are created. Managing both Network Firewall and WAF policies centrally ensures organization-wide security governance. For those who want to systematically learn about network security, related books (Amazon) can also be helpful.

Log Analysis and Threat Intelligence Integration

Network Firewall can output alert logs and flow logs to S3, CloudWatch Logs, and Kinesis Data Firehose. Alert logs record detailed information about traffic matching IPS rules, useful for security incident investigation. Flow logs record metadata for all traffic, enabling network visualization and anomaly detection. Aggregating these logs in OpenSearch Service and visualizing them on dashboards enables real-time security monitoring. You can also integrate with GuardDuty threat detection findings to automatically add detected threat IP addresses to block lists. Combining Lambda and EventBridge for automated response minimizes the time from threat detection to blocking.

Network Firewall Pricing

Network Firewall pricing consists of hourly charges for firewall endpoints and data processing volume. An endpoint costs approximately $0.395/hour per AZ (about $284/month), and multi-AZ configurations incur costs for each AZ. Data processing costs approximately $0.065 per GB. For a 2-AZ configuration processing 1 TB of traffic per month, the monthly cost is approximately $633 (endpoints $568 + data processing $65). Optimize costs by using security groups and NACLs for filtering that does not require Network Firewall, and routing only traffic that needs L7 inspection through Network Firewall.

Summary

Network Firewall is a managed firewall that provides L7-level traffic inspection beyond what security groups can handle. It delivers advanced threat protection through Suricata-compatible rules and domain filtering, and builds comprehensive security through multi-layer defense with WAF. Threat intelligence integration with GuardDuty enables automated blocking, and Firewall Manager applies unified policies across the entire organization.