セキュリティ

AWS Network Firewall

A managed network firewall service that performs stateful inspection of VPC traffic for intrusion prevention and domain filtering

About 4 min read

Overview

AWS Network Firewall is a managed firewall service that provides fine-grained control over network traffic within VPCs. It delivers advanced traffic inspection capabilities (stateful inspection, intrusion detection/prevention, domain-based filtering, TLS inspection) that security groups and NACLs cannot address. It uses a Suricata-compatible rule engine, allowing you to migrate existing IDS/IPS rule sets. Combined with Transit Gateway or Gateway Load Balancer, it can operate as a centralized firewall for multi-VPC environments.

Two-Tier Architecture - Stateless and Stateful Rules

Network Firewall rules consist of two types that work in sequence. Stateless rule groups evaluate each packet independently based on IP addresses, ports, and protocols, operating similarly to NACLs. They process traffic first and can pass, drop, or forward packets to stateful rule groups for deeper inspection. Stateful rule groups track connection state and support three rule formats: 5-tuple rules for basic allow/deny decisions, domain list rules for FQDN-based filtering, and Suricata-compatible IPS rules for advanced threat detection. In practice, a two-tier approach is recommended: use stateless rules to drop obviously unwanted traffic (known malicious IP ranges, invalid protocols) at high speed, then inspect remaining traffic in detail with stateful rules. This layered design reduces the processing load on the more expensive stateful engine while maintaining comprehensive security coverage.

Domain Filtering and TLS Inspection

Domain list rules are one of Network Firewall's most practical features, allowing HTTP/HTTPS traffic only to specific domains. This is useful for restricting outbound communication to approved external APIs, software update servers, or SaaS endpoints while blocking everything else. For HTTPS traffic, the firewall can inspect the SNI (Server Name Indication) field without decrypting the traffic, enabling domain-based filtering without the overhead of full TLS inspection. When deeper inspection is required, TLS inspection decrypts, inspects, and re-encrypts traffic using certificates managed through ACM. Network Firewall uses a Suricata-compatible rule engine, which means you can directly import open-source IDS/IPS rule sets like Emerging Threats or Snort community rules. For a systematic study, network security books (Amazon) are a great resource. Azure Firewall offers similar FQDN filtering and TLS inspection capabilities, though its IDPS functionality requires the Premium SKU at roughly twice the cost of the Standard tier.

Centralized Inspection VPC and Organization-Wide Deployment with Firewall Manager

The most common deployment pattern for Network Firewall is a centralized inspection VPC. Transit Gateway routing aggregates all internet-bound traffic from every VPC through the inspection VPC, where Network Firewall inspects it centrally. This eliminates the need to deploy individual firewalls in each VPC and consolidates rule management into a single location. When combined with Firewall Manager, unified firewall policies can be applied across all accounts in an Organization, with firewalls automatically deployed when new VPCs are created. This ensures consistent security posture without manual intervention as the organization grows. A cost consideration is that firewall endpoints must be created per Availability Zone - in a 3-AZ configuration, you incur fixed hourly charges for three endpoints plus pay-as-you-go traffic processing fees. For smaller environments, deploying in two AZs and routing traffic accordingly can reduce costs while maintaining redundancy.

共有するXB!

Related Terms

Amazon VPCAWS WAFAmazon GuardDutyAWS IAM

Related Services

Amazon VPCAWS WAFAWS Transit Gateway

Related Articles

Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.Why Is the Default VPC CIDR /16? - IP Address Design Trivia and Common PitfallsLearn why the default VPC CIDR is set to /16, the history of RFC 1918 private address space, the 5 reserved IP addresses in each subnet, and common CIDR design mistakes.The Fastest Container Deployment with AWS App Runner - From Source Code to Production in MinutesJust specify source code or a container image to get an HTTPS endpoint up and running. Learn the differences from ECS/Fargate and how to connect to private resources using VPC connectors.AWS Availability Zone Design - How Physical Separation and Fault Isolation Create a Reliability AdvantageExamine the design philosophy behind AWS AZs as physically independent data center clusters, compare them with Azure and GCP availability zones, and analyze the differences in fault isolation maturity through real-world incident examples.

Similar Terms and Articles

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain FilteringControl VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.AWS Network FirewallA managed firewall service for fine-grained control of VPC network trafficCentralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.AWS Firewall ManagerA security management service that centrally applies and manages WAF, Shield Advanced, Security Group, and Network Firewall rules across multiple accounts and resources under Organizations