AWS Network Firewall Cheat Sheet

• AWS Network Firewall is a managed, stateful network firewall and intrusion detection and prevention service (IDS/IPS) for your Amazon Virtual Private Cloud (VPC). It enables you to implement fine-grained network protections that scale automatically with your traffic.

• Layer 3-7 Protection: Filters traffic at the network (IP/Port) and application (Domain/HTTP Host) layers.
• Managed Infrastructure: Automatically scales firewall capacity based on traffic load with 99.99% SLA.
• Suricata Engine: Uses the open-source Suricata engine, allowing you to import existing rulesets and community signatures.
• Central Management: Integrated with AWS Firewall Manager to enforce policies across multiple AWS accounts and VPCs in an Organization.

Features

• Managed Infrastructure: Automatically scales firewall capacity up or down based on the traffic load (up to 100 Gbps).
• Web Filtering: Supports inbound and outbound web filtering for unencrypted web traffic AND encrypted HTTPS traffic (via TLS Inspection).
• Intrusion Prevention (IPS): The system matches network traffic patterns to known threat signatures based on attributes (uses the open-source Suricata engine).
• Central Management: Centrally deploy and manage security policies across AWS Organizations apps, VPCs, and accounts using AWS Firewall Manager.
• Geo-IP Filtering: Block or allow traffic based on geographic location (Country) without managing complex IP lists.

Concepts

• Firewall

  • A traffic filtering logic for VPC subnets.

  • The firewall configuration provides the parameters for the Availability Zones and subnets in which the firewall endpoints are located.

  • Changes to stateful rules are applied only to new traffic flows, while stateless rules are applied to all network packets.

  • You can create, update and delete a firewall as long as you have the required permissions.

  • Supports delete protection to prevent accidental deletion.

• Firewall policies

  • It defines the rules and other settings that will be used by a firewall to filter incoming and outgoing traffic in a VPC.

  • You can associate a firewall policy with one or more firewalls.

  • Supports one or more stateless and stateful rule groups.

  • Stateless default actions handle a packet or UDP packet fragment that doesn’t match any of the rules in the stateless rule groups

  • Stateful default actions handle a packet that doesn’t match any of the stateful rule groups’ rules.

  • Stateful engine options hold stateful rule order settings. The configuration of RuleOrder can only be done during the creation of the policy.

• Rule groups

  • A set of rules to match against VPC traffic and actions to do when a match is discovered.

  • You can create a custom rule group or use the one that is managed by AWS.

  • The categories of rule groups are stateless and stateful.

• A designated subnet for a firewall endpoint is called a firewall subnet.

• A stateless rule examines a single network traffic packet without taking into account the context of other packets.

• While the inspection of network traffic packets in the context of their traffic flow is referred to as stateful rules.

• The regional endpoint where you will make requests to reduce data latency in your applications:

  • https://network-firewall.<region>.amazonaws.com

• A firewall policy or rule group’s owner can share a resource with AWS Organizations:

  • AWS accounts within or outside of its organization

  • Organizational unit

  • Entire organization

AWS Network Firewall Monitoring

• You can use the following monitoring tools with Network Firewall:

  • Amazon CloudWatch

  • Amazon CloudWatch Logs

  • AWS CloudTrail

  • AWS Config

• Logging Logic (Critical Exam Topic):

  • Constraint: Firewall logging is only available for traffic that you route to the stateful rules engine.

    • Traffic handled solely by the stateless engine (e.g., dropped immediately) is NOT logged in Flow/Alert logs.

  • Log Types:

    • Flow Logs: Standard network traffic flow logs (5-tuple).

    • Alert Logs: Reports traffic that matches your stateful rules (e.g., “IPS Signature Match”).

  Destinations:

  • Amazon S3

  • CloudWatch Logs

  • Amazon Data Firehose

  • Security Note: If your log destination uses SSE-KMS, you must add a key policy to the KMS key to allow firewall logging to that destination.

Use Cases

• Egress Filtering: Preventing servers in private subnets from communicating with Command & Control (C2) botnets.

• Compliance: Meeting PCI-DSS requirements for intrusion detection (IPS) within the VPC.

• VPC-to-VPC Inspection: Placing a firewall in a “Transit VPC” to inspect traffic moving between different internal environments (e.g., Prod talking to Dev).

Limits & Constraints

• Throughput: Automatically scales up to 100 Gbps per Availability Zone.

• Encrypted Traffic: Without TLS Inspection configured, the firewall cannot see inside the payload of HTTPS packets (it can only see the SNI/Domain).

• Route Tables: You must manually manage route tables to force traffic to the firewall endpoint (it is not “inline” transparently like a Security Group).

AWS Network Firewall Pricing

• Hourly Fee: Charged per firewall endpoint per hour (approx $0.395/hr).
• Traffic Fee: Charged per GB of traffic processed (approx $0.065/GB).
• Network Firewall is expensive compared to Security Groups, so understanding the billing model is key.
• Pro Tip: The NAT Gateway Credit If you deploy a NAT Gateway and Network Firewall in the same Availability Zone, AWS waives the hourly charge for the NAT Gateway. You pay for the Network Firewall hourly + traffic, and the NAT Gateway becomes essentially “free” (hourly), paying only for its data processing.

AWS Network Firewall Cheat Sheet References:

https://aws.amazon.com/network-firewall/