AWS Network Firewall

  • A managed service that helps deploy network protections for Amazon VPCs.

  • Provides fine-grained network traffic control that allows you to restrict outbound requests to prevent malicious activity from spreading.

  • Import previously created rules in common open source rule formats and enable integrations with managed intelligence feeds from AWS partners.

  • With AWS Firewall Manager, you can create policies based on AWS Network Firewall rules and then apply those policies centrally across your VPCs and accounts.


Tutorials dojo strip
  • Automatically scales firewall capacity up or down based on the traffic load.

  • Supports inbound and outbound web filtering for unencrypted web traffic

  • The intrusion prevention system matches network traffic patterns to known threat signatures based on attributes.

  • Centrally deploy and manage security policies across AWS Organizations apps, VPCs, and accounts.


  • Firewall

    • A traffic filtering logic for VPC subnets.

    • The firewall configuration provides the parameters for the Availability Zones and subnets in which the firewall endpoints are located.

    • Changes to stateful rules are applied only to new traffic flows, while stateless rules are applied to all network packets.

    • You can create, update and delete a firewall as long as you have the required permissions.

    • Supports delete protection to prevent accidental deletion.

  • Firewall policies

    • It defines the rules and other settings that will be used by a firewall to filter incoming and outgoing traffic in a VPC.

    • You can associate a firewall policy with one or more firewalls.

    • Supports one or more stateless and stateful rule groups.

    • Stateless default actions handle a packet or UDP packet fragment that doesn’t match any of the rules in the stateless rule groups

    • Stateful default actions handle a packet that doesn’t match any of the stateful rule groups’ rules.

    • Stateful engine options hold stateful rule order settings. The configuration of RuleOrder can only be done during the creation of the policy.

  • Rule groups

    • A set of rules to match against VPC traffic and actions to do when a match is discovered.

    • You can create a custom rule group or use the one that is managed by AWS.

    • The categories of rule groups are stateless and stateful.

  • A designated subnet for a firewall endpoint is called a firewall subnet.

  • A stateless rule examines a single network traffic packet without taking into account the context of other packets.

  • While the inspection of network traffic packets in the context of their traffic flow is referred to as stateful rules.

  • The regional endpoint where you will make requests to reduce data latency in your applications:

  • A firewall policy or rule group’s owner can share a resource with AWS Organizations:

    • AWS accounts within or outside of its organization

    • Organizational unit

    • Entire organization


  • You can use the following monitoring tools with Network Firewall:

    • Amazon CloudWatch

    • Amazon CloudWatch Logs

    • AWS CloudTrail

    • AWS Config

  • Firewall logging is only available for traffic that you route to the stateful rules engine. Traffic is forwarded to the stateful engine via stateless rule actions and default actions.

  • Using a stateful engine, you can record flow logs and alert logs.

    • Flow logs – standard network traffic flow logs.

    • Alert logs – report traffic that matches your stateful rules.

  • Logs contain the following information:

    • firewall_name

    • availability_zone

    • event_timestamp

    • Event

  • You can configure the destinations of your logs to various AWS services:

    • Amazon S3

    • CloudWatch Logs

    • Kinesis Data Firehose

  • If your log destination uses SSE-KMS and you’re using a KMS key, you must add a key policy to the KMS key for your chosen destination to allow firewall logging to the destination.

  • Supports tagging for firewalls, firewall policies, and rule groups.


  • You are charged at an hourly rate for each firewall endpoint.

  • You are charged for the amount of traffic, billed by the gigabyte, processed by the firewall endpoint.

  • Data transferred across the AWS Network Firewall incur standard AWS data transfer fees.

  • For each hour that your firewall endpoint is provisioned, there is no hourly charge for NAT Gateway.

  • To avoid NAT gateway data processing charges, set up a gateway VPC endpoint and route traffic to and from S3 via the VPC endpoint rather than a NAT gateway. There are no data processing or hourly charges for using gateway VPC endpoints.


Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?