AWS Network Firewall のアイコン

AWS Network Firewall Specialized2020年〜

A managed firewall service for fine-grained control of VPC network traffic

About 3 min read

What It Does

AWS Network Firewall is a fully managed firewall service that inspects and filters network traffic within VPCs. It provides stateful and stateless packet filtering, intrusion detection and prevention (IDS/IPS), and web filtering. It features a Suricata-compatible rule engine, making it possible to migrate existing on-premises firewall rules. It automatically scales with traffic volume, eliminating capacity planning.

Use Cases

Used for inter-VPC traffic control, filtering outbound internet traffic, blocking access to known malicious domains, network auditing for compliance requirements, detecting and blocking malware communications, and centralized network security management in multi-account environments.

Everyday Analogy

Think of it like a building security guard. If security groups are door locks for each room (port-level control), Network Firewall is the guard at the building entrance. They check visitors' IDs (packet contents), detect suspicious individuals (malicious traffic), and block them. The number of guards automatically adjusts based on building traffic.

What Is Network Firewall?

AWS Network Firewall is a service that inspects and controls network traffic at the VPC level. While security groups and NACLs (Network ACLs) provide basic filtering based on IP addresses and port numbers, Network Firewall can perform deep packet inspection (DPI) that examines packet contents (payload). This enables detection of application-layer threats and protocol anomalies. Integration with AWS Firewall Manager lets you centrally manage firewall policies across multiple accounts and VPCs.

Rule Engine and Inspection Features

Network Firewall's rule engine operates in a two-tier structure of stateless and stateful rules. Stateless rules perform fast filtering based on 5-tuples (source IP, destination IP, source port, destination port, protocol). Stateful rules support Suricata-compatible IPS rule formats, enabling domain filtering based on TLS SNI (Server Name Indication), HTTP header inspection, and protocol anomaly detection. AWS-provided managed rule groups let you easily apply rules based on the latest threat intelligence. To organize the concepts and techniques of the rule engine and inspection features, related books (Amazon) are handy.

Deployment Architecture

Network Firewall is deployed as an endpoint in a dedicated firewall subnet. You configure VPC route tables to route traffic to be inspected through the firewall endpoint. Combined with Transit Gateway, you can centrally inspect traffic from multiple VPCs in a hub-and-spoke architecture. Firewall logs can be output to S3, CloudWatch Logs, and Kinesis Data Firehose for security auditing and incident investigation.

Things to Watch Out For

  • If security groups and NACLs are sufficient, there's no need to add Network Firewall. Consider it when deep packet inspection or IDS/IPS is required
  • Firewall endpoints are created per AZ, so be aware that costs scale with the number of endpoints in multi-AZ configurations
共有するXB!

Related Services

AWS WAF iconAWS WAFA firewall service that protects web applications from malicious trafficAmazon GuardDuty iconAmazon GuardDutyA machine learning-powered threat detection serviceAmazon VPC iconAmazon VPCBuild a logically isolated virtual network on AWS

Related Articles

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain FilteringControl VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.Security Groups Are Stateful, NACLs Are Stateless - The Design Decision Behind This DifferenceLearn how Security Groups operate statefulness through connection tracking, why NACLs are stateless, the ephemeral port pitfall, and design patterns for defense in depth combining both.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

VPC Traffic Control with AWS Network Firewall - Stateful Rules and Domain FilteringControl VPC traffic with stateful/stateless rules and domain filtering. Learn how to leverage Suricata-compatible rules and managed rule groups.Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.AWS Network FirewallA managed network firewall service that performs stateful inspection of VPC traffic for intrusion prevention and domain filteringCentralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.AWS Firewall ManagerA service for centrally managing firewall rules across your entire AWS Organization