Welcome to AWS Network Firewall

Welcome everyone! Today we're diving deep into AWS Network Firewall, one of the most powerful network security services in AWS. I'm excited to walk you through this comprehensive guide.

Over the next several slides, we'll cover everything from basic concepts to hands-on implementation. You'll learn how to deploy, configure, and manage AWS Network Firewall in real-world scenarios.

                    What you'll gain: By the end of this presentation, you'll have the knowledge and CLI commands needed to implement enterprise-grade network security using AWS Network Firewall.
                

Let's start with understanding what AWS Network Firewall is and why it's a game-changer for cloud security architecture.

Understanding the Architecture

Let me show you the high-level architecture of AWS Network Firewall. This diagram illustrates how the firewall integrates into your VPC infrastructure.

The key thing to understand here is that Network Firewall acts as a centralized inspection point. All traffic flows through the firewall endpoints, which are deployed in dedicated firewall subnets.

                    Critical concept: The firewall sits between your Internet Gateway and protected subnets, ensuring every packet is inspected before reaching your resources.
                

Notice how route tables play a crucial role - they direct traffic through the firewall endpoints. This is what makes the inspection mandatory rather than optional.

The firewall policy orchestrates multiple rule groups, giving you granular control over traffic inspection and actions.

Core Components Deep Dive

Now let's break down the core components. Understanding this hierarchy is crucial for effective firewall management.

At the top level, we have the Network Firewall itself, which references a Firewall Policy. Think of the policy as the brain that coordinates all security rules.

The policy contains multiple rule groups - both stateful and stateless. Stateless rules provide fast, efficient filtering based on packet headers. Stateful rules maintain connection state and can perform deep packet inspection.

                    Pro tip: Managed rule groups are AWS-maintained rules that provide threat intelligence and are updated automatically. These are incredibly valuable for staying current with emerging threats.
                

Each rule can trigger different actions: ALLOW for permitted traffic, DROP for silent blocking, REJECT for explicit denial, ALERT for logging without blocking, and PASS for continuing to the next rule.

Traffic Processing Flow

This sequence diagram shows exactly how traffic flows through the Network Firewall. Understanding this flow is essential for troubleshooting and optimization.

When a client sends a request, it first hits the Internet Gateway, then gets routed to the firewall endpoint. This is where the magic happens.

The firewall processes traffic through multiple layers: first stateless rules for fast filtering, then stateful rules for connection tracking and deep inspection, and finally managed rules for threat intelligence.

                    Key insight: The firewall maintains state for allowed connections, so return traffic automatically flows back to the originating client without re-inspection.
                

If traffic is blocked, it's either dropped silently or rejected with an appropriate response, depending on your rule configuration.

Setup Command Sequence

Here's where we get practical. This diagram shows the exact order for setting up AWS Network Firewall. Getting the sequence right is critical for success.

We start by creating rule groups because they're referenced by the firewall policy. You can't create a policy without having the rule groups ready first.

Next, we create the firewall policy that orchestrates all the rule groups. Then we deploy the actual Network Firewall resource.

                    Important: After the firewall is deployed, you must update route tables to direct traffic through the firewall endpoints. This is what actually enforces the inspection.
                

Finally, we configure logging and monitoring to ensure we have visibility into firewall operations and security events.

Let's dive into the actual commands, starting with creating our first rule group.

Creating Stateful Rule Groups

Let's start with creating a stateful rule group. I'll walk you through this command step by step because it's foundational to everything else.

This command creates a rule group that allows web traffic from internal networks. Notice how we use rule variables - these make maintenance much easier when you need to update IP ranges or port lists.

The rule itself uses the PASS action for HTTP and HTTPS traffic from our HOME_NET variable to any destination. The SID (Signature ID) is required for tracking and reference.

                    Real-world tip: Always use descriptive names and organize your rule groups by function. This makes management much easier as your firewall grows.
                

The capacity setting determines how much processing power this rule group can consume. For stateful rules, this typically ranges from 1 to 30,000.

Let's look at the expected output and what each field means for your implementation.

Creating Stateless Rule Groups

Now let's create a stateless rule group. These rules are processed first and provide fast, efficient filtering.

This particular rule group blocks traffic from a known bad IP range. Stateless rules are perfect for this type of filtering because they don't require connection state tracking.

Notice the priority setting - lower numbers mean higher priority. This rule has priority 1, so it will be evaluated before any other stateless rules.

                    Performance tip: Use stateless rules for simple allow/deny decisions based on IP addresses, ports, or protocols. They're much faster than stateful rules.
                

The match attributes specify exactly what traffic this rule applies to - in this case, TCP and UDP traffic from the 192.0.2.0/24 subnet to any destination port.

The aws:drop action silently discards matching packets without sending any response to the sender.

Creating the Firewall Policy

Now we create the firewall policy that ties everything together. This is where you define the overall behavior of your firewall.

The policy references both rule groups we created earlier. Notice how stateless rules have priorities, but stateful rules don't - they're processed after all stateless rules.

The default actions are crucial: StatelessDefaultActions tells the firewall what to do with traffic that doesn't match any stateless rules. Here, we forward it to the stateful engine.

                    Security note: We use aws:drop_strict for stateful default actions, which means any traffic not explicitly allowed will be dropped. This is a security best practice.
                

The STRICT_ORDER rule order ensures consistent rule evaluation, which is important for predictable security behavior.

Once this policy is created, we can reference it when deploying our firewall.

Deploying the Network Firewall

Here's where we deploy the actual Network Firewall resource. This command creates the firewall infrastructure in your VPC.

The firewall must be deployed in dedicated subnets in multiple availability zones for high availability. Each subnet should be at least /28 in size.

Notice how we reference the firewall policy ARN from the previous step. The firewall will enforce all the rules and policies we've defined.

                    Planning tip: Always deploy in multiple AZs for redundancy. If one AZ fails, the other firewall endpoints continue protecting your traffic.
                

The tags help with resource management and cost allocation. I always recommend tagging your security resources appropriately.

After running this command, the firewall status will be PROVISIONING while AWS creates the infrastructure. This typically takes 10-15 minutes.

Getting Firewall Endpoints

Once the firewall is deployed, we need to get the endpoint information. These endpoints are what we'll reference in our route tables.

The describe-firewall command shows us the current status and, most importantly, the VPC endpoint IDs for each availability zone.

Wait until the Status shows READY before proceeding. If you try to configure routes while the firewall is still provisioning, you'll get errors.

                    Critical step: Note down the endpoint IDs from the SyncStates section. You'll need these exact IDs for the route table configuration.
                

The ConfigurationSyncStateSummary should show IN_SYNC, indicating that all firewall components are properly configured and synchronized.

Now we're ready to configure the routing that will direct traffic through our firewall.

Configuring Route Tables

This is where the rubber meets the road. Route table configuration is what actually enforces traffic inspection through your firewall.

We need to create three types of routes: First, routes in your protected subnets that send internet traffic to the firewall endpoints.

Second, routes in the firewall subnets that send approved traffic to the internet gateway. Third, routes in the IGW route table that send return traffic back through the firewall.

                    Networking principle: Traffic must flow symmetrically - both directions of a connection must go through the firewall for proper stateful inspection.
                

Notice how we use the specific endpoint IDs from the previous step. Each AZ should route through its local firewall endpoint for optimal performance.

The return value of "true" indicates the route was created successfully. Any routing errors will show up here immediately.

Multi-AZ Deployment Pattern

Let me show you how this looks in a multi-AZ deployment. This diagram illustrates the distributed firewall architecture that provides both high availability and scalability.

Each availability zone has its own firewall endpoint, which means traffic stays local to the AZ when possible. This reduces latency and improves performance.

The dotted lines show cross-AZ traffic, which can also be inspected by routing through the firewall endpoints if you need east-west traffic filtering.

                    Scalability benefit: This architecture scales automatically as traffic increases, and provides fault tolerance if one AZ becomes unavailable.
                

For enterprise deployments, I always recommend this multi-AZ approach. It's a small additional cost for significant reliability improvements.

Multi-Layer Inspection Pipeline

Now let me explain how the firewall actually processes traffic through its multi-layer inspection pipeline. This is what makes Network Firewall so powerful.

Layer 1 provides fast stateless filtering - think of it as a bouncer at the door. Layer 2 performs stateful inspection with connection tracking and 5-tuple rules.

Layer 3 does deep packet inspection using Suricata-compatible rules that can analyze application protocols. Layer 4 applies managed threat intelligence rules.

                    Performance insight: This layered approach ensures that obviously bad traffic gets dropped quickly, while legitimate traffic gets thorough inspection.
                

Each layer can make a final decision to allow or block traffic, or pass it to the next layer for further inspection.

Understanding this flow helps you optimize rule placement for both security and performance.

Enabling Comprehensive Logging

Logging is absolutely critical for security operations. Let me show you how to configure comprehensive logging for your Network Firewall.

We're configuring three types of logs: Flow logs capture all traffic flows for analysis and compliance. Alert logs capture security events and rule matches. TLS logs provide details about TLS inspection.

I'm showing multiple destinations here - CloudWatch Logs for real-time monitoring and S3 for long-term storage and analysis. This gives you flexibility for different use cases.

                    Compliance tip: Many compliance frameworks require comprehensive network logging. Having both real-time and archival logging helps meet these requirements.
                

The prefix in the S3 configuration helps organize your logs by date and type, making analysis much easier.

Don't skip this step - good logging is what turns your firewall from a black box into a powerful security tool.

Monitoring and Alerting

Finally, let's set up monitoring and alerting. This monitoring architecture diagram shows how all the pieces fit together.

CloudWatch metrics track packet processing statistics, while logs provide detailed traffic and security information. Multiple log destinations enable different analysis approaches.

CloudWatch Insights is perfect for real-time log analysis, Athena works great for S3-based batch analysis, and custom dashboards provide operational visibility.

                    Operational excellence: Set up alerts for unusual patterns like sudden increases in dropped packets or new types of threats being detected.
                

The commands I'll show next create CloudWatch alarms that will notify your security team when important events occur.

This monitoring setup transforms your firewall from a set-and-forget appliance into a active security monitoring system.

CloudWatch Metrics and Alarms

Let me show you how to set up CloudWatch metrics and alarms for your Network Firewall. These commands will give you real-time visibility into firewall performance.

The first command retrieves metrics for passed packets - this helps you understand your baseline traffic patterns. The statistics show packet counts over time.

The second command creates an alarm for dropped packets. This is crucial because sudden increases in dropped packets often indicate security events or configuration issues.

                    Monitoring strategy: Set thresholds based on your normal traffic patterns. A 20% increase in dropped packets might be normal during an attack, but a 500% increase needs immediate attention.
                

The alarm uses SNS to notify your security team when thresholds are exceeded. Make sure your notification endpoints are properly configured.

These metrics are essential for both security monitoring and performance optimization.

Hub and Spoke Architecture

For larger organizations, let me show you the hub and spoke architecture with a dedicated inspection VPC. This is the gold standard for enterprise deployments.

In this pattern, all your spoke VPCs connect to a Transit Gateway, which routes traffic through a central inspection VPC containing the Network Firewall.

This provides centralized security policy management and consistent protection across all your VPCs, whether they're production, development, or shared services.

                    Enterprise benefit: You can apply the same security policies across hundreds of VPCs while maintaining centralized logging and monitoring.
                

The inspection VPC contains dedicated firewall subnets and Transit Gateway subnets, keeping the networking clean and manageable.

This architecture scales to support very large AWS environments with consistent security posture.

Configuration Parameters Deep Dive

Let me walk you through the key configuration parameters and what they mean for your implementation. Understanding these details helps you make informed decisions.

For stateful rules, capacity typically ranges from 1 to 30,000. Each rule consumes different amounts based on complexity. Simple 5-tuple rules use less capacity than complex Suricata rules.

Rule actions have specific behaviors: PASS allows traffic, DROP silently discards it, REJECT sends an error response, ALERT logs without blocking, and aws:forward-to-sfe sends stateless traffic to the stateful engine.

                    Planning consideration: Start with lower capacity and monitor utilization. You can increase capacity later if needed, but it requires updating the rule group.
                

The RuleOrder setting affects performance and predictability. STRICT_ORDER is recommended for consistent behavior, especially in complex rule sets.

Validation and Testing

Before we wrap up, let's talk about validation and testing. This checklist ensures your Network Firewall deployment is working correctly.

Always verify that rule groups show ACTIVE status before creating the firewall policy. Check that the firewall shows READY status before configuring routes.

Test traffic flows by generating known good and bad traffic patterns. Verify that logs are being generated and alarms are functioning.

                    Testing tip: Use tools like nmap or curl to generate test traffic and verify that your rules are working as expected. Check both allowed and blocked traffic scenarios.
                

Monitor CloudWatch metrics for the first few days after deployment to establish baseline patterns and adjust thresholds accordingly.

Remember, security is an ongoing process, not a one-time setup.

Best Practices and Next Steps

As we conclude, let me share some best practices I've learned from real-world implementations.

Always use managed rule groups in addition to your custom rules - they provide threat intelligence that's constantly updated by AWS security teams.

Implement defense in depth by combining Network Firewall with Security Groups, NACLs, and WAF where appropriate. No single security control should be your only line of defense.

                    Operational excellence: Regularly review and update your firewall rules. Security requirements change, and your firewall configuration should evolve with your environment.
                

Consider automation for rule management using Infrastructure as Code tools like CloudFormation or Terraform. This ensures consistent deployments and makes changes auditable.

Finally, invest in your team's skills. The best security technology is only as good as the people who manage it.

Thank you for joining me on this deep dive into AWS Network Firewall!

AWS Network Firewall

Complete Technical Implementation Guide

What You'll Learn Today

🏗️ Architecture and Core Components
⚙️ Step-by-step CLI Implementation
🔄 Traffic Flow and Routing
📊 Monitoring and Logging
🏢 Enterprise Deployment Patterns

Prerequisites: AWS CLI configured, VPC with multiple subnets, appropriate IAM permissions for Network Firewall, EC2, and CloudWatch services.

AWS Network Firewall Architecture

graph TB subgraph "AWS VPC" subgraph "Firewall Subnets" FWS1[Firewall Subnet AZ-A] FWS2[Firewall Subnet AZ-B] FWE1[Firewall Endpoint A] FWE2[Firewall Endpoint B] end subgraph "Protected Subnets" PS1[Private Subnet AZ-A] PS2[Private Subnet AZ-B] PS3[Public Subnet AZ-A] end subgraph "Route Tables" RT1[Protected Routes] RT2[Firewall Routes] RT3[IGW Routes] end end subgraph "Security Policies" FP[Firewall Policy] RG1[Stateful Rules] RG2[Stateless Rules] MR[Managed Rules] end Internet[Internet] --> IGW[Internet Gateway] IGW --> RT3 RT3 --> FWE1 RT3 --> FWE2 FWE1 --> FWS1 FWE2 --> FWS2 FWS1 --> RT2 FWS2 --> RT2 RT2 --> PS1 RT2 --> PS2 RT2 --> PS3 FP --> FWE1 FP --> FWE2 RG1 --> FP RG2 --> FP MR --> FP

Key Concept: Network Firewall acts as a centralized inspection point between the Internet Gateway and your protected subnets, ensuring all traffic is inspected according to your security policies.

Core Components Hierarchy

graph TD subgraph "Network Firewall Components" NF[Network Firewall] FP[Firewall Policy] subgraph "Rule Groups" RG1[Stateful Rule Group] RG2[Stateless Rule Group] RG3[Managed Rule Group] end subgraph "Rule Types" SR1[5-tuple Rules] SR2[Suricata Rules] SR3[Domain Lists] SLR1[Priority Rules] SLR2[Custom Actions] end subgraph "Actions" A1[ALLOW] A2[DROP] A3[REJECT] A4[ALERT] A5[PASS] end end NF --> FP FP --> RG1 FP --> RG2 FP --> RG3 RG1 --> SR1 RG1 --> SR2 RG1 --> SR3 RG2 --> SLR1 RG2 --> SLR2 SR1 --> A1 SR2 --> A2 SR3 --> A3 SLR1 --> A4 SLR2 --> A5

Important: Rule groups must be created before the firewall policy, and the policy must exist before creating the Network Firewall resource.

Traffic Processing Sequence

sequenceDiagram participant C as Client participant IGW as Internet Gateway participant FWE as Firewall Endpoint participant NF as Network Firewall participant T as Target Resource C->>IGW: 1. Outbound Request IGW->>FWE: 2. Route to Firewall FWE->>NF: 3. Inspect Packet Note over NF: Stateless Processing NF->>NF: 4a. Priority-based Rules Note over NF: Stateful Processing NF->>NF: 4b. Connection Tracking NF->>NF: 4c. Deep Packet Inspection NF->>NF: 4d. Managed Rules alt Traffic Allowed NF->>T: 5a. Forward to Target T->>NF: 6a. Response Traffic NF->>FWE: 7a. Return Response FWE->>IGW: 8a. Route Response IGW->>C: 9a. Deliver Response else Traffic Blocked NF->>FWE: 5b. Drop or Reject Note over FWE: Log Security Event end

Stateful Advantage: Return traffic for allowed connections flows automatically without re-inspection, improving performance while maintaining security.

Setup Command Sequence

graph TD subgraph "Implementation Steps" S1[1. Create Rule Groups] S2[2. Create Firewall Policy] S3[3. Deploy Network Firewall] S4[4. Configure Route Tables] S5[5. Update Security Groups] S6[6. Enable Logging] S7[7. Configure Monitoring] end S1 --> S2 S2 --> S3 S3 --> S4 S4 --> S5 S5 --> S6 S6 --> S7 subgraph "AWS CLI Commands" C1[create-rule-group] C2[create-firewall-policy] C3[create-firewall] C4[create-route] C5[authorize-security-group] C6[put-logging-configuration] C7[put-metric-alarm] end S1 -.-> C1 S2 -.-> C2 S3 -.-> C3 S4 -.-> C4 S5 -.-> C5 S6 -.-> C6 S7 -.-> C7

⚠️

Critical Success Factor: Follow this exact sequence. Each step depends on the successful completion of the previous steps.

Step 1: Create Stateful Rule Group

aws network-firewall create-rule-group \ --rule-group-name "StatefulRuleGroup-WebTraffic" \ --type STATEFUL \ --capacity 100 \ --rule-group '{ "RuleVariables": { "IPSets": { "HOME_NET": { "Definition": ["10.0.0.0/16", "192.168.0.0/16"] } }, "PortSets": { "WEB_PORTS": { "Definition": ["80", "443"] } } }, "RulesSource": { "StatefulRules": [ { "Action": "PASS", "Header": { "Protocol": "TCP", "Source": "$HOME_NET", "SourcePort": "ANY", "Direction": "FORWARD", "Destination": "ANY", "DestinationPort": "$WEB_PORTS" }, "RuleOptions": [ { "Keyword": "sid", "Settings": ["1"] } ] } ] } }' \ --region us-east-1

# Expected Output: { "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/StatefulRuleGroup-WebTraffic", "RuleGroupName": "StatefulRuleGroup-WebTraffic", "RuleGroupId": "12345678-1234-1234-1234-123456789012", "Type": "STATEFUL", "Capacity": 100, "RuleGroupStatus": "ACTIVE" }, "UpdateToken": "abcd1234-5678-90ef-ghij-klmnopqrstuv" }

Key Parameters: Rule variables ($HOME_NET, $WEB_PORTS) make maintenance easier. Capacity of 100 is sufficient for basic web traffic rules. The SID (Signature ID) must be unique within the rule group.

Step 2: Create Stateless Rule Group

aws network-firewall create-rule-group \ --rule-group-name "StatelessRuleGroup-BlockBadIPs" \ --type STATELESS \ --capacity 50 \ --rule-group '{ "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "192.0.2.0/24" } ], "Protocols": [6, 17], "DestinationPorts": [ { "FromPort": 1, "ToPort": 65535 } ] }, "Actions": ["aws:drop"] }, "Priority": 1 } ] } } }' \ --region us-east-1

# Expected Output: { "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/StatelessRuleGroup-BlockBadIPs", "RuleGroupName": "StatelessRuleGroup-BlockBadIPs", "Type": "STATELESS", "Capacity": 50, "RuleGroupStatus": "ACTIVE" } }

Protocol Numbers: 6 = TCP, 17 = UDP, 1 = ICMP. Priority 1 = highest priority (evaluated first). Use 192.0.2.0/24 for testing - it's a documentation subnet that shouldn't appear in production.

Step 3: Create Firewall Policy

aws network-firewall create-firewall-policy \ --firewall-policy-name "ComprehensiveFirewallPolicy" \ --firewall-policy '{ "StatelessDefaultActions": ["aws:forward-to-sfe"], "StatelessFragmentDefaultActions": ["aws:forward-to-sfe"], "StatelessRuleGroupReferences": [ { "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/StatelessRuleGroup-BlockBadIPs", "Priority": 1 } ], "StatefulRuleGroupReferences": [ { "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/StatefulRuleGroup-WebTraffic" } ], "StatefulDefaultActions": ["aws:drop_strict"], "StatefulEngineOptions": { "RuleOrder": "STRICT_ORDER" } }' \ --region us-east-1

# Expected Output: { "FirewallPolicyResponse": { "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ComprehensiveFirewallPolicy", "FirewallPolicyName": "ComprehensiveFirewallPolicy", "FirewallPolicyStatus": "ACTIVE" } }

Security Best Practice: aws:drop_strict for stateful default actions ensures any traffic not explicitly allowed is dropped. STRICT_ORDER provides predictable rule evaluation.

Step 4: Deploy Network Firewall

aws network-firewall create-firewall \ --firewall-name "ProductionNetworkFirewall" \ --firewall-policy-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ComprehensiveFirewallPolicy" \ --vpc-id "vpc-12345678" \ --subnet-mappings SubnetId=subnet-12345678,SubnetId=subnet-87654321 \ --tags Key=Environment,Value=Production Key=Project,Value=NetworkSecurity \ --region us-east-1

# Expected Output: { "Firewall": { "FirewallName": "ProductionNetworkFirewall", "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/ProductionNetworkFirewall", "VpcId": "vpc-12345678", "SubnetMappings": [ { "SubnetId": "subnet-12345678", "AvailabilityZone": "us-east-1a" }, { "SubnetId": "subnet-87654321", "AvailabilityZone": "us-east-1b" } ], "FirewallStatus": "PROVISIONING" } }

Deployment Requirements: Subnets must be in different AZs, minimum /28 size, dedicated for firewall use only. Status will change from PROVISIONING to READY in 10-15 minutes.

Step 5: Get Firewall Endpoints

aws network-firewall describe-firewall \ --firewall-name "ProductionNetworkFirewall" \ --region us-east-1

# Expected Output (when READY): { "FirewallStatus": { "Status": "READY", "ConfigurationSyncStateSummary": "IN_SYNC", "SyncStates": { "us-east-1a": { "Attachment": { "SubnetId": "subnet-12345678", "EndpointId": "vpce-12345678901234567", "Status": "READY" } }, "us-east-1b": { "Attachment": { "SubnetId": "subnet-87654321", "EndpointId": "vpce-87654321098765432", "Status": "READY" } } } } }

Critical Information: Save the EndpointId values (vpce-*) - you'll need these exact IDs for route table configuration. Wait for Status: "READY" before proceeding.

Step 6: Configure Route Tables

# Route internet traffic through firewall endpoints aws ec2 create-route \ --route-table-id rtb-12345678 \ --destination-cidr-block 0.0.0.0/0 \ --vpc-endpoint-id vpce-12345678901234567 \ --region us-east-1 # Route for second AZ aws ec2 create-route \ --route-table-id rtb-87654321 \ --destination-cidr-block 0.0.0.0/0 \ --vpc-endpoint-id vpce-87654321098765432 \ --region us-east-1 # Configure firewall subnet route to IGW aws ec2 create-route \ --route-table-id rtb-firewall123 \ --destination-cidr-block 0.0.0.0/0 \ --gateway-id igw-12345678 \ --region us-east-1

# Expected Output for each command: { "Return": true }

Routing Strategy: Protected subnets → Firewall endpoints → Internet Gateway. This ensures all traffic flows through the firewall for inspection.

Multi-AZ Deployment Architecture

graph TB subgraph "Multi-AZ Network Firewall Deployment" subgraph "AZ-A" FWEA[Firewall Endpoint A] PSA[Protected Subnet A] RTA[Route Table A] end subgraph "AZ-B" FWEB[Firewall Endpoint B] PSB[Protected Subnet B] RTB[Route Table B] end subgraph "AZ-C" FWEC[Firewall Endpoint C] PSC[Protected Subnet C] RTC[Route Table C] end end IGW[Internet Gateway] --> FWEA IGW --> FWEB IGW --> FWEC FWEA --> RTA FWEB --> RTB FWEC --> RTC RTA --> PSA RTB --> PSB RTC --> PSC PSA -.-> PSB PSB -.-> PSC PSC -.-> PSA

High Availability: Each AZ has its own firewall endpoint for fault tolerance. Cross-AZ traffic (dotted lines) can also be inspected for complete east-west security coverage.

Multi-Layer Inspection Pipeline

graph TB subgraph "Traffic Inspection Layers" subgraph "Layer 1: Fast Filtering" SLF[Stateless Rules] SLA[Priority-based Actions] end subgraph "Layer 2: Connection Tracking" SF[Stateful Engine] SFA[5-tuple Rules] SFB[Domain Lists] SFC[Connection State] end subgraph "Layer 3: Deep Analysis" DI[Deep Packet Inspection] DIA[Suricata Rules] DIB[Protocol Analysis] DIC[Signature Matching] end subgraph "Layer 4: Threat Intelligence" TI[Managed Rule Groups] TIA[IP Reputation] TIB[Malware Signatures] TIC[Bot Detection] end end Traffic[Incoming Traffic] --> SLF SLF --> SLA SLA --> SF SF --> SFA SF --> SFB SF --> SFC SFC --> DI DI --> DIA DI --> DIB DI --> DIC DIC --> TI TI --> TIA TI --> TIB TI --> TIC TIC --> Decision{Allow or Block}

Performance Optimization: Bad traffic gets dropped early in the pipeline, while legitimate traffic receives thorough inspection. Each layer can make a final allow/block decision.

Step 7: Enable Comprehensive Logging

aws network-firewall put-logging-configuration \ --firewall-name "ProductionNetworkFirewall" \ --logging-configuration '{ "LogDestinationConfigs": [ { "LogType": "FLOW", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-FlowLogs" } }, { "LogType": "ALERT", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-AlertLogs" } }, { "LogType": "FLOW", "LogDestinationType": "S3", "LogDestination": { "bucketName": "network-firewall-logs-bucket", "prefix": "flow-logs/" } } ] }' \ --region us-east-1

# Expected Output: { "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/ProductionNetworkFirewall", "LoggingConfiguration": { "LogDestinationConfigs": [...] } }

Logging Strategy: Flow logs for compliance, Alert logs for security events, multiple destinations for different use cases. CloudWatch for real-time, S3 for long-term storage.

Monitoring Architecture

graph TB subgraph "Monitoring and Analysis" subgraph "Metrics Collection" M1[Packets Passed] M2[Packets Dropped] M3[Invalid Packets] M4[TLS Errors] end subgraph "Log Collection" L1[Flow Logs] L2[Alert Logs] L3[TLS Logs] end subgraph "Storage Destinations" D1[CloudWatch Logs] D2[S3 Buckets] D3[Kinesis Firehose] end subgraph "Analysis Tools" A1[CloudWatch Insights] A2[Athena Queries] A3[Custom Dashboards] A4[Security Alerts] end end M1 --> D1 M2 --> D1 M3 --> D1 M4 --> D1 L1 --> D1 L1 --> D2 L2 --> D1 L3 --> D3 D1 --> A1 D2 --> A2 D3 --> A3 D1 --> A4

Operational Excellence: Multiple analysis approaches enable real-time security monitoring, compliance reporting, and long-term trend analysis.

CloudWatch Metrics and Alarms

# Get firewall metrics aws cloudwatch get-metric-statistics \ --namespace "AWS/NetworkFirewall" \ --metric-name "PassedPackets" \ --dimensions Name=FirewallName,Value=ProductionNetworkFirewall \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-01T23:59:59Z \ --period 3600 \ --statistics Sum \ --region us-east-1 # Create alarm for dropped packets aws cloudwatch put-metric-alarm \ --alarm-name "NetworkFirewall-HighDropRate" \ --alarm-description "Alert when firewall drops exceed threshold" \ --metric-name "DroppedPackets" \ --namespace "AWS/NetworkFirewall" \ --statistic Sum \ --period 300 \ --threshold 1000 \ --comparison-operator GreaterThanThreshold \ --evaluation-periods 2 \ --alarm-actions "arn:aws:sns:us-east-1:123456789012:security-alerts" \ --dimensions Name=FirewallName,Value=ProductionNetworkFirewall

# Metrics Output: { "Label": "PassedPackets", "Datapoints": [ { "Timestamp": "2024-01-01T00:00:00Z", "Sum": 1250000.0, "Unit": "Count" } ] }

Alerting Strategy: Set thresholds based on baseline traffic patterns. Monitor both normal traffic (PassedPackets) and security events (DroppedPackets, InvalidPackets).

Enterprise Hub and Spoke Architecture

graph TB subgraph "Hub and Spoke with Inspection VPC" subgraph "Inspection VPC" subgraph "Firewall Subnets" FWS1[FW Subnet AZ-A] FWS2[FW Subnet AZ-B] end subgraph "TGW Subnets" TGWS1[TGW Subnet AZ-A] TGWS2[TGW Subnet AZ-B] end NF[Network Firewall] end subgraph "Spoke VPCs" SVPC1[Production VPC] SVPC2[Development VPC] SVPC3[Shared Services VPC] SVPC4[Partner VPC] end TGW[Transit Gateway] end Internet --> IGW[Internet Gateway] IGW --> FWS1 IGW --> FWS2 FWS1 --> NF FWS2 --> NF NF --> TGWS1 NF --> TGWS2 TGWS1 --> TGW TGWS2 --> TGW TGW --> SVPC1 TGW --> SVPC2 TGW --> SVPC3 TGW --> SVPC4

Enterprise Benefits: Centralized security policy management, consistent protection across all VPCs, simplified compliance, and reduced operational overhead for large-scale deployments.

Configuration Parameters Reference

Component	Parameter	Options/Range	Best Practice
Stateful Rules	Capacity	1-30,000	Start with 100, monitor utilization
Stateless Rules	Priority	1-65,535	Use gaps (10, 20, 30) for future rules
Rule Actions	Type	PASS, DROP, REJECT, ALERT	Use ALERT for monitoring new rules
Policy Engine	Rule Order	STRICT_ORDER, DEFAULT_ACTION_ORDER	STRICT_ORDER for predictable behavior
Firewall	Subnet Size	Minimum /28	Use /27 for future growth

Capacity Planning: Monitor rule group utilization and plan for growth. Increasing capacity requires updating the rule group, which may cause brief interruptions.

Validation and Testing Checklist

Pre-Deployment Validation

✓ Rule groups show ACTIVE status
✓ Firewall policy references all rule groups
✓ Firewall shows READY status
✓ Route tables updated correctly
✓ Security groups allow firewall traffic

Post-Deployment Testing

Generate test traffic (allowed/blocked)
Verify logs are being generated
Test alarm notifications
Monitor baseline traffic patterns
Validate rule processing order

Testing Commands

# Test allowed traffic curl -I https://example.com # Test blocked traffic nmap -p 80 192.0.2.1 # Check firewall logs aws logs filter-log-events \ --log-group-name NetworkFirewall-FlowLogs \ --start-time 1640995200000

Monitoring Metrics

Key Metrics to Watch:

PassedPackets (baseline traffic)
DroppedPackets (security events)
InvalidPackets (malformed traffic)
TLSErrors (inspection issues)

Best Practices and Next Steps

Security Best Practices

Defense in Depth: Combine with Security Groups, NACLs, and WAF
Managed Rules: Always include AWS managed rule groups for threat intelligence
Regular Updates: Review and update rules monthly
Least Privilege: Default deny with explicit allow rules

Operational Excellence

Infrastructure as Code: Use CloudFormation/Terraform
Automation: Automate rule updates and deployments
Documentation: Maintain rule documentation and change logs
Training: Ensure team understands firewall operations

Cost Optimization

Monitor data processing charges
Optimize rule group capacity
Use efficient stateless rules first
Consider regional data transfer costs

Next Steps

Implement in non-production first
Develop rule management processes
Create runbooks for common scenarios
Plan for compliance requirements
Consider advanced features (TLS inspection)

Thank You!

You now have the knowledge and commands to implement enterprise-grade network security with AWS Network Firewall. Remember: Security is a journey, not a destination. Keep learning and adapting!

1 / 20