Last updated on July 16, 2024
AWS Network Firewall Cheat Sheet
-
A managed service that helps deploy network protections for Amazon VPCs.
-
Provides fine-grained network traffic control that allows you to restrict outbound requests to prevent malicious activity from spreading.
-
Import previously created rules in common open source rule formats and enable integrations with managed intelligence feeds from AWS partners.
-
With AWS Firewall Manager, you can create policies based on AWS Network Firewall rules and then apply those policies centrally across your VPCs and accounts.
Features
-
Automatically scales firewall capacity up or down based on the traffic load.
-
Supports inbound and outbound web filtering for unencrypted web traffic
-
The intrusion prevention system matches network traffic patterns to known threat signatures based on attributes.
-
Centrally deploy and manage security policies across AWS Organizations apps, VPCs, and accounts.
Concepts
-
Firewall
-
A traffic filtering logic for VPC subnets.
-
The firewall configuration provides the parameters for the Availability Zones and subnets in which the firewall endpoints are located.
-
Changes to stateful rules are applied only to new traffic flows, while stateless rules are applied to all network packets.
-
You can create, update and delete a firewall as long as you have the required permissions.
-
Supports delete protection to prevent accidental deletion.
-
-
Firewall policies
-
It defines the rules and other settings that will be used by a firewall to filter incoming and outgoing traffic in a VPC.
-
You can associate a firewall policy with one or more firewalls.
-
Supports one or more stateless and stateful rule groups.
-
Stateless default actions handle a packet or UDP packet fragment that doesn’t match any of the rules in the stateless rule groups
-
Stateful default actions handle a packet that doesn’t match any of the stateful rule groups’ rules.
-
Stateful engine options hold stateful rule order settings. The configuration of RuleOrder can only be done during the creation of the policy.
-
-
Rule groups
-
A set of rules to match against VPC traffic and actions to do when a match is discovered.
-
You can create a custom rule group or use the one that is managed by AWS.
-
The categories of rule groups are stateless and stateful.
-
-
A designated subnet for a firewall endpoint is called a firewall subnet.
-
A stateless rule examines a single network traffic packet without taking into account the context of other packets.
-
While the inspection of network traffic packets in the context of their traffic flow is referred to as stateful rules.
-
The regional endpoint where you will make requests to reduce data latency in your applications:
-
https://network-firewall.<region>.amazonaws.com
-
-
A firewall policy or rule group’s owner can share a resource with AWS Organizations:
-
AWS accounts within or outside of its organization
-
Organizational unit
-
Entire organization
-
AWS Network Firewall Monitoring
-
You can use the following monitoring tools with Network Firewall:
-
Amazon CloudWatch Logs
-
Firewall logging is only available for traffic that you route to the stateful rules engine. Traffic is forwarded to the stateful engine via stateless rule actions and default actions.
-
Using a stateful engine, you can record flow logs and alert logs.
-
Flow logs – standard network traffic flow logs.
-
Alert logs – report traffic that matches your stateful rules.
-
-
Logs contain the following information:
-
firewall_name
-
availability_zone
-
event_timestamp
-
Event
-
-
You can configure the destinations of your logs to various AWS services:
-
CloudWatch Logs
-
Data Firehose
-
If your log destination uses SSE-KMS and you’re using a KMS key, you must add a key policy to the KMS key for your chosen destination to allow firewall logging to the destination.
-
Supports tagging for firewalls, firewall policies, and rule groups.
AWS Network Firewall Pricing
-
You are charged at an hourly rate for each firewall endpoint.
-
You are charged for the amount of traffic, billed by the gigabyte, processed by the firewall endpoint.
-
Data transferred across the AWS Network Firewall incur standard AWS data transfer fees.
-
For each hour that your firewall endpoint is provisioned, there is no hourly charge for NAT Gateway.
-
To avoid NAT gateway data processing charges, set up a gateway VPC endpoint and route traffic to and from S3 via the VPC endpoint rather than a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints.
AWS Network Firewall Cheat Sheet References:
https://aws.amazon.com/network-firewall/