Security

Network Traffic Filtering - Advanced Network Defense with AWS Network Firewall

Learn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.

約 6 分で読めます

Network Security Challenges and AWS Network Firewall

In cloud environments, key network security challenges include traffic control between VPCs, internet communication filtering, and detecting and blocking malware communications. Security groups and NACLs (Network ACLs) provide basic port-based filtering but do not support application-layer inspection or domain-based filtering. AWS Network Firewall is a VPC-level stateful firewall with a Suricata-compatible rule engine that filters traffic based on multiple layers of conditions including IP addresses, ports, protocols, domain names, and HTTP headers. IDS/IPS (Intrusion Detection/Prevention System) functionality is also integrated, enabling detection and blocking of traffic based on known threat signatures.

Network Firewall Rule Design and Traffic Control

Network Firewall rule groups consist of two types: stateless rules and stateful rules. Stateless rules provide high-speed filtering based on 5-tuples (source/destination IP, source/destination port, protocol), efficiently processing large volumes of traffic. Stateful rules support three formats: Suricata-compatible IPS rules, domain list rules, and 5-tuple rules. Domain list rules define lists of domain names to allow or deny, enabling DNS-based traffic control. TLS Server Name Indication (SNI) inspection also enables domain filtering of encrypted HTTPS traffic. By leveraging AWS Managed Rule Groups, you can immediately apply rule sets based on AWS-managed threat intelligence, automatically blocking communications with known malware domains and botnet C&C servers.

Multi-Layered Defense Architecture with Network Firewall and WAF

Combining Network Firewall with AWS WAF builds comprehensive multi-layered defense from the network layer to the application layer. Network Firewall operates at the VPC subnet level, inspecting all inbound and outbound traffic. WAF operates in front of CloudFront, ALB, and API Gateway, providing application-layer protection through SQL injection, XSS, and rate-based rules. In a centralized firewall architecture combined with Transit Gateway, traffic from multiple VPCs is aggregated to a single Network Firewall endpoint, applying unified security policies. Using AWS Firewall Manager, you can apply Network Firewall and WAF policies across all accounts under Organizations, ensuring organization-wide security governance. For those who want to systematically learn about firewall design, related books (Amazon) can also be helpful.

Log Analysis and Threat Intelligence

Network Firewall can output alert logs and flow logs to S3, CloudWatch Logs, and Kinesis Data Firehose. Alert logs record detailed information about traffic matching IPS rules, useful for security incident investigation. Flow logs record metadata for all traffic, used for network visualization and anomaly detection. By aggregating these logs into OpenSearch Service and visualizing them on dashboards, you can achieve real-time security monitoring. You can also build workflows that link GuardDuty threat detection results with Network Firewall rules, automatically adding detected threat IP addresses to block lists. Below is an example of creating a Network Firewall rule group with the AWS CLI. ```bash aws network-firewall create-rule-group \ --rule-group-name "BlockMaliciousDomains" \ --type STATEFUL \ --capacity 100 \ --rule-group '{"rulesSource": {"rulesSourceList": {"targets": ["malware.example.com"], "targetTypes": ["HTTP_HOST", "TLS_SNI"], "generatedRulesType": "DENYLIST"}}}' ``` By combining Lambda and EventBridge for automated response, you can minimize the time from threat detection to blocking. On-premises, next-generation firewalls from Palo Alto Networks or Fortinet provide equivalent functionality, but Network Firewall, as a managed service, eliminates hardware procurement and firmware updates, significantly reducing operational costs.

Network Firewall Pricing

Firewall endpoints cost approximately $0.395/hour per AZ (about $284/month), and data processing costs approximately $0.065 per GB. For a 2-AZ configuration processing 1 TB of traffic per month, the monthly cost is approximately $633. Optimize costs by using security groups and NACLs for filtering that does not require Network Firewall, and routing only traffic that needs L7 inspection through it.

Summary - Building Cloud-Native Network Defense

AWS Network Firewall provides advanced network traffic filtering as a VPC-level stateful firewall. It integrates a Suricata-compatible rule engine, domain-based filtering, and IDS/IPS functionality, delivering defense capabilities comparable to on-premises next-generation firewalls as a managed service. By combining multi-layered defense with WAF, organization-wide policy management with Firewall Manager, and threat intelligence integration with GuardDuty, you can build a comprehensive network security posture.

Related Services

AWS Network FirewallA managed firewall service for fine-grained control of VPC network trafficAWS WAFA firewall service that protects web applications from malicious trafficAWS Firewall ManagerA service for centrally managing firewall rules across your entire AWS Organization

Related Articles

Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Centralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain FilteringControl VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.AWS Network FirewallA managed network firewall service that performs stateful inspection of VPC traffic for intrusion prevention and domain filteringCentralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.AWS Firewall ManagerA security management service that centrally applies and manages WAF, Shield Advanced, Security Group, and Network Firewall rules across multiple accounts and resources under Organizations