Skip to main content
Welcome to this comprehensive guide on the AWS Network Firewall Service. In this article, we explore how this managed service stands out from other firewall offerings in AWS by providing advanced threat protection at the edge of your Virtual Private Cloud (VPC). AWS Network Firewall is designed to allow legitimate traffic while filtering out malicious requests through features like domain blocking and deep packet inspection.
The image is a diagram illustrating a network firewall setup, showing legitimate users accessing a Virtual Private Cloud (VPC) with public subnets through a firewall.
A key benefit of this AWS proprietary solution is its simplified rule management along with granular control, advanced threat protection, logging, monitoring, and synchronized rule updates across multiple firewalls. Unlike third-party appliances from the AWS Marketplace or integrations via gateway load balancers, this managed service streamlines firewall operations.
The image lists five features of a network firewall: simplified rule management, granular control, advanced threat protection, logging and monitoring, and rule synchronization. Each feature is represented with an icon and a brief description.

How AWS Network Firewall Works

The AWS Network Firewall Service operates based on rules that filter traffic by IP, port, protocol, or specific patterns. These rules are structured into rule groups, which are then aggregated into a firewall policy. This policy is enforced on a network firewall instance to determine if traffic should be allowed, dropped, or alerted.
There are two types of firewall rules:
  • Stateless rules: Evaluate each network packet individually, similar to traditional network access control lists.
  • Stateful rules: Monitor ongoing connections to track packet dialogs, ensuring that established sessions (e.g., web traffic) are properly managed.
The image is a diagram explaining network firewall rules, distinguishing between stateless rules, which apply actions to each packet individually, and stateful rules, which monitor connections and apply rules on packet flow.

Rule Groups and Firewall Policies

Rule groups, which are collections of individual rules, are combined to create a comprehensive firewall policy. This policy is then applied to a network firewall instance, streamlining traffic filtering with both default actions and custom configurations.
The image shows a diagram of a "Network Firewall Rule Group" with four rules and icons representing IP addresses, ports, protocols, and patterns.
The overall firewall policy encompasses multiple rule groups that define how traffic is managed. After establishing these rules and rule groups, you deploy the firewall and update your Amazon VPC route tables to direct traffic to the correct network interfaces or endpoints.
The image is a diagram titled "Network Firewall Policy," showing six rule groups used to filter VPC traffic. It explains that these groups contain rules and configurations for the firewall.
The image illustrates a network firewall policy consisting of two rule groups, each containing two rules, connected to a firewall icon.

VPC Routing and Firewall Deployment

When deploying a network firewall, it is vital to update your VPC route tables to ensure traffic (both inbound and outbound) is appropriately routed through the firewall subnet. For instance, incoming traffic from the internet is first inspected by the firewall before being forwarded to the private subnet if allowed.
The image outlines four steps for setting up a network firewall: creating rule groups, creating a firewall policy, creating a firewall, and updating Amazon VPC route tables.
Because the network firewall service operates in a managed environment, each availability zone hosting a firewall instance must have routes directed to the subnet with the network interface. This design ensures that both public and private traffic is accurately inspected and forwarded.
The image is a diagram illustrating a network firewall setup within a Virtual Private Cloud (VPC), showing private and firewall subnets across two availability zones. It includes icons representing network components and connections.
For single availability zone configurations, route tables manage the connection between the gateway, firewall, and customer subnets.
The image illustrates a network architecture diagram showing route tables in a single-zone setup with a firewall, including an internet gateway, firewall subnet, and customer subnet within a VPC.
In multi-zone environments, the firewall is deployed in every availability zone, ensuring that all traffic is inspected as it enters or exits the VPC.
The image illustrates network firewall deployment models within a Virtual Private Cloud (VPC), showing private and firewall subnets in multiple availability zones connected to external networks.

Choosing Between Stateless and Stateful Rule Engines

Selecting the appropriate rule engine is crucial depending on your traffic inspection needs. Stateless rules process traffic rapidly without session tracking, while stateful rules provide deeper packet inspection by tracking connection states. Depending on your configuration, you can implement actions such as passing, dropping, or alerting.
The image is a diagram illustrating the flow of network firewall rules engines, showing the processes of a Firewall Stateless Engine and a Firewall Stateful Engine, with paths for passing, dropping, and alerting packets.
The stateless engine offers fast processing akin to network access control lists, whereas the stateful engine delivers comprehensive security resembling security groups. These capabilities make AWS Network Firewall a robust, managed solution for your security needs.

Centralized Security with AWS Firewall Manager

Managing multiple firewall configurations across an organization can be complex. Manual management of firewall rule sets may lead to inconsistencies, increased complexity, slower threat response times, and compliance challenges. AWS Firewall Manager provides a centralized solution to manage these configurations across all accounts in your AWS Organization.
The image outlines challenges in manually managing firewall rules for multiple accounts, highlighting issues such as being time-consuming, lack of centralized control, complexity and scalability, and compliance management.
AWS Firewall Manager streamlines the centralized management of firewall settings, distributing rule sets across your organization. It supports AWS WAF, security groups, network ACLs, and Shield Advanced, ensuring a consistent security policy is applied throughout your environment.
The image is a diagram titled "Firewall Manager for Multiple Accounts," showing a structure for managing firewall settings across production and development environments within AWS Cloud. It includes icons representing different security features connected under each environment.

Prerequisites for AWS Firewall Manager

To ensure smooth operation of Firewall Manager, the following prerequisites must be met:
  1. Join or create an AWS Organization and designate a management account specifically for Firewall Manager.
  2. Enable AWS Config in every region where you plan to operate the service, ensuring continuous tracking of configuration changes.
  3. Use the AWS Resource Access Manager (RAM) to share firewall resources among member accounts.
  4. Enable Firewall Manager in each active region.
The image outlines four steps for setting up AWS Firewall Manager: joining AWS Organizations, creating a default administrator account, enabling AWS Config, and enabling resource sharing for network and DNS firewall policies.
For example, after joining or creating an AWS Organization, assign a management account dedicated to Firewall Manager operations.
The image is a step-by-step guide for joining and configuring AWS Organizations, showing a flow from AWS Organizations to AWS Firewall Manager, with actions like creating an organization, enabling features, and assigning a management account.
Next, centralize firewall management by establishing a default administrator account and enabling AWS Config in all member accounts across the necessary regions. This ensures that any changes to your firewall policies are continuously tracked.
The image is a diagram illustrating the creation of an AWS Firewall Manager Default Administrator Account, showing the relationship between AWS Organizations, AWS Firewall Manager, and account roles.
Then, navigate to the AWS Config console and enable it for each required region.
The image provides instructions for enabling AWS Config, including navigating to the AWS Config console and enabling it for each region where Firewall Manager will be used.
Finally, use AWS Resource Access Manager (RAM) to share firewall rules and DNS filtering policies across all member accounts.
The image illustrates Step 4 of enabling resource sharing for network firewall and DNS firewall policies using AWS Resource Access Manager, showing a flow between accounts and firewall resources.
After these configurations are complete, enable Firewall Manager in all regions where you plan to deploy firewall protections. This provides comprehensive coverage and centralized policy management for resources such as WAF, security groups, network ACLs, and Shield Advanced.
The image provides instructions for using AWS Firewall Manager in regions that are disabled by default, including enabling AWS Config in those regions.
Centralizing rule management with Firewall Manager not only simplifies administrative tasks and auditing but also integrates seamlessly with AWS Security Hub for a consolidated view of your security posture.

Conclusion

AWS Network Firewall Service, when combined with AWS Firewall Manager, offers a powerful solution for both individual firewall deployment and centralized security management. This integrated approach mitigates the challenges of manual rule management, enhances scalability, and ensures compliance with your security policies. Thank you for reading this guide on AWS Network Firewall Service and Firewall Manager. We hope this article has provided you with clear insights into service architecture and best practices for a secure AWS environment.

Watch Video