AWS Network Firewall - Complete Technical Guide

Table of Contents

1. AWS Network Firewall Overview and Architecture

graph TB subgraph "AWS Account" subgraph "VPC" subgraph "Firewall Subnet" NF[Network Firewall] FWE[Firewall Endpoint] end subgraph "Protected Subnets" PS1[Private Subnet 1] PS2[Private Subnet 2] PS3[Public Subnet] end subgraph "Route Tables" RT1[Protected Route Table] RT2[Firewall Route Table] RT3[IGW Route Table] end end subgraph "Security Policies" FP[Firewall Policy] RG[Rule Groups] SR[Stateful Rules] SLR[Stateless Rules] end end Internet[Internet] --> IGW[Internet Gateway] IGW --> RT3 RT3 --> FWE FWE --> NF NF --> RT2 RT2 --> PS1 RT2 --> PS2 RT2 --> PS3 FP --> NF RG --> FP SR --> RG SLR --> RG
Architecture Overview: This diagram shows the high-level architecture of AWS Network Firewall within a VPC. The firewall sits between the Internet Gateway and your protected subnets, acting as a central inspection point. Traffic flows through the firewall endpoint, which applies the configured firewall policy containing stateful and stateless rule groups. Route tables direct traffic through the firewall, ensuring all north-south traffic is inspected.
graph LR subgraph "Traffic Types" NS[North-South Traffic
Internet ↔ VPC] EW[East-West Traffic
VPC ↔ VPC] AZ[Cross-AZ Traffic
AZ-A ↔ AZ-B] end subgraph "Firewall Capabilities" SI[Stateful Inspection] DPI[Deep Packet Inspection] IPS[Intrusion Prevention] DNS[DNS Filtering] TLS[TLS Inspection] end NS --> SI EW --> DPI AZ --> IPS NS --> DNS EW --> TLS
Traffic Flow and Capabilities: AWS Network Firewall can inspect different types of traffic flows including north-south (internet-to-VPC), east-west (VPC-to-VPC), and cross-availability zone traffic. It provides comprehensive security capabilities including stateful inspection, deep packet inspection, intrusion prevention, DNS filtering, and TLS inspection.

2. Core Components Deep Dive

graph TD subgraph "Network Firewall Components" NF[Network Firewall] FP[Firewall Policy] RG1[Stateful Rule Group] RG2[Stateless Rule Group] RG3[Managed Rule Group] subgraph "Rule Group Contents" SR1[5-tuple Rules] SR2[Suricata Rules] SR3[Domain Lists] SLR1[Action Rules] SLR2[Custom Actions] end subgraph "Actions" A1[ALLOW] A2[DROP] A3[REJECT] A4[ALERT] A5[PASS] end end NF --> FP FP --> RG1 FP --> RG2 FP --> RG3 RG1 --> SR1 RG1 --> SR2 RG1 --> SR3 RG2 --> SLR1 RG2 --> SLR2 SR1 --> A1 SR2 --> A2 SR3 --> A3 SLR1 --> A4 SLR2 --> A5
Component Hierarchy: The Network Firewall uses a hierarchical structure where the firewall policy orchestrates multiple rule groups. Stateful rule groups contain 5-tuple rules, Suricata-compatible rules, and domain lists. Stateless rule groups contain action-based rules. Each rule type can trigger different actions (ALLOW, DROP, REJECT, ALERT, PASS) based on the traffic inspection results.
sequenceDiagram participant C as Client participant IGW as Internet Gateway participant FWE as Firewall Endpoint participant NF as Network Firewall participant T as Target Resource C->>IGW: 1. Outbound Request IGW->>FWE: 2. Route to Firewall FWE->>NF: 3. Inspect Packet Note over NF: Stateless Rule Processing NF->>NF: 4a. Check Stateless Rules Note over NF: Stateful Rule Processing NF->>NF: 4b. Check Stateful Rules NF->>NF: 4c. Check Managed Rules alt Traffic Allowed NF->>T: 5a. Forward to Target T->>NF: 6a. Response Traffic NF->>FWE: 7a. Return Response FWE->>IGW: 8a. Route Response IGW->>C: 9a. Deliver Response else Traffic Blocked NF->>FWE: 5b. Drop/Reject FWE->>IGW: 6b. Log Action Note over IGW: No response to client end
Traffic Processing Sequence: This sequence diagram illustrates how traffic flows through the Network Firewall. Traffic first hits stateless rules for fast processing, then stateful rules for connection tracking and deep inspection, and finally managed rules for threat intelligence. The firewall maintains state for allowed connections, enabling return traffic to flow back to the originating client.

3. Traffic Flow Patterns

graph TB subgraph "Multi-AZ Deployment" subgraph "AZ-A" FWEA[Firewall Endpoint A] PSA[Protected Subnet A] RTA[Route Table A] end subgraph "AZ-B" FWEB[Firewall Endpoint B] PSB[Protected Subnet B] RTB[Route Table B] end subgraph "AZ-C" FWEC[Firewall Endpoint C] PSC[Protected Subnet C] RTC[Route Table C] end end IGW[Internet Gateway] --> FWEA IGW --> FWEB IGW --> FWEC FWEA --> RTA FWEB --> RTB FWEC --> RTC RTA --> PSA RTB --> PSB RTC --> PSC PSA -.-> PSB PSB -.-> PSC PSC -.-> PSA
Multi-AZ Traffic Distribution: In a multi-AZ deployment, each availability zone has its own firewall endpoint. Traffic is distributed across zones for high availability and fault tolerance. Cross-AZ traffic (shown with dotted lines) can also be inspected by routing through the firewall endpoints, providing comprehensive east-west traffic visibility and control.
graph LR subgraph "Inspection Modes" subgraph "Centralized" CC[Central Firewall] CA[All Traffic] end subgraph "Distributed" DF1[Firewall 1] DF2[Firewall 2] DF3[Firewall 3] end subgraph "Hybrid" HF[Hub Firewall] SF1[Spoke Firewall 1] SF2[Spoke Firewall 2] end end CA --> CC DF1 --> DF2 DF2 --> DF3 HF --> SF1 HF --> SF2
Deployment Patterns: Network Firewall supports three main deployment patterns. Centralized deployment routes all traffic through a single firewall for simplified management. Distributed deployment places firewalls in multiple locations for reduced latency and higher throughput. Hybrid deployment combines both approaches, using a central hub for critical traffic and distributed firewalls for local inspection.

4. Deployment Architecture Patterns

graph TB subgraph "Hub and Spoke with Inspection VPC" subgraph "Inspection VPC" subgraph "Firewall Subnets" FWS1[FW Subnet AZ-A] FWS2[FW Subnet AZ-B] end subgraph "TGW Subnets" TGWS1[TGW Subnet AZ-A] TGWS2[TGW Subnet AZ-B] end NF[Network Firewall] end subgraph "Spoke VPCs" SVPC1[Production VPC] SVPC2[Development VPC] SVPC3[Shared Services VPC] end TGW[Transit Gateway] end Internet --> IGW[Internet Gateway] IGW --> FWS1 IGW --> FWS2 FWS1 --> NF FWS2 --> NF NF --> TGWS1 NF --> TGWS2 TGWS1 --> TGW TGWS2 --> TGW TGW --> SVPC1 TGW --> SVPC2 TGW --> SVPC3
Hub and Spoke Architecture: This pattern uses a dedicated inspection VPC with Network Firewall to secure traffic between the internet and multiple spoke VPCs connected via Transit Gateway. All north-south and east-west traffic is routed through the central firewall, providing comprehensive security coverage and centralized policy management across multiple VPCs.
graph TB subgraph "Advanced Inspection Pipeline" subgraph "Layer 1: Stateless Filtering" SLF[Stateless Rules] SLA[ALLOW/DROP/PASS] end subgraph "Layer 2: Stateful Inspection" SF[Stateful Engine] SFA[5-tuple Rules] SFB[Domain Lists] SFC[Connection Tracking] end subgraph "Layer 3: Deep Inspection" DI[Deep Packet Inspection] DIA[Suricata Rules] DIB[Signature Matching] DIC[Protocol Analysis] end subgraph "Layer 4: Threat Intelligence" TI[Managed Rule Groups] TIA[IP Reputation] TIB[Malware Detection] TIC[Bot Protection] end end Traffic[Incoming Traffic] --> SLF SLF --> SLA SLA --> SF SF --> SFA SF --> SFB SF --> SFC SFC --> DI DI --> DIA DI --> DIB DI --> DIC DIC --> TI TI --> TIA TI --> TIB TI --> TIC TIC --> Decision{Allow/Block}
Multi-Layer Inspection Pipeline: Network Firewall processes traffic through multiple inspection layers. Stateless rules provide fast initial filtering, stateful inspection maintains connection state and applies 5-tuple rules, deep packet inspection analyzes packet contents using Suricata rules, and managed rule groups provide threat intelligence. This layered approach ensures comprehensive security coverage while maintaining high performance.

5. Setup Commands and Execution Order

graph TD subgraph "Setup Sequence" S1[1. Create Rule Groups] S2[2. Create Firewall Policy] S3[3. Create Network Firewall] S4[4. Configure Route Tables] S5[5. Update Security Groups] S6[6. Enable Logging] S7[7. Configure Monitoring] end S1 --> S2 S2 --> S3 S3 --> S4 S4 --> S5 S5 --> S6 S6 --> S7 subgraph "Commands" C1[create-rule-group] C2[create-firewall-policy] C3[create-firewall] C4[create-route / replace-route] C5[authorize-security-group-ingress] C6[put-logging-configuration] C7[put-metric-filter] end S1 --> C1 S2 --> C2 S3 --> C3 S4 --> C4 S5 --> C5 S6 --> C6 S7 --> C7
Setup Command Sequence: This diagram shows the correct order for setting up AWS Network Firewall. Rule groups must be created first as they're referenced by the firewall policy. The firewall policy is then created and associated with the Network Firewall. After the firewall is deployed, route tables are updated to direct traffic through the firewall endpoints, security groups are configured, and logging/monitoring is enabled.

Step-by-Step Setup Process

Prerequisites: Ensure you have appropriate IAM permissions, VPC with subnets in multiple AZs, and AWS CLI configured.

  1. Create Rule Groups: Define stateful and stateless rule groups with your security policies
  2. Create Firewall Policy: Combine rule groups into a comprehensive policy
  3. Deploy Network Firewall: Create the firewall in designated subnets
  4. Configure Routing: Update route tables to direct traffic through firewall endpoints
  5. Update Security Groups: Ensure proper connectivity to firewall endpoints
  6. Enable Logging: Configure CloudWatch Logs and S3 for audit trails
  7. Setup Monitoring: Create CloudWatch alarms and dashboards

6. Detailed Configuration Commands

Step 1: Create Stateful Rule Group

aws network-firewall create-rule-group \ --rule-group-name "StatefulRuleGroup-WebTraffic" \ --type STATEFUL \ --capacity 100 \ --rule-group '{ "RuleVariables": { "IPSets": { "HOME_NET": { "Definition": ["10.0.0.0/16", "192.168.0.0/16"] } }, "PortSets": { "WEB_PORTS": { "Definition": ["80", "443"] } } }, "RulesSource": { "StatefulRules": [ { "Action": "PASS", "Header": { "Protocol": "TCP", "Source": "$HOME_NET", "SourcePort": "ANY", "Direction": "FORWARD", "Destination": "ANY", "DestinationPort": "$WEB_PORTS" }, "RuleOptions": [ { "Keyword": "sid", "Settings": ["1"] } ] } ] } }' \ --region us-east-1
{ "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/StatefulRuleGroup-WebTraffic", "RuleGroupName": "StatefulRuleGroup-WebTraffic", "RuleGroupId": "12345678-1234-1234-1234-123456789012", "Type": "STATEFUL", "Capacity": 100, "RuleGroupStatus": "ACTIVE" }, "UpdateToken": "abcd1234-5678-90ef-ghij-klmnopqrstuv" }
Stateful Rule Group Configuration:
ParameterDescriptionOptions
rule-group-nameUnique identifier for the rule groupMust be unique within region
typeRule group typeSTATEFUL | STATELESS
capacityProcessing capacity units1-30000 for stateful
RuleVariablesVariables for reusable valuesIPSets, PortSets
ActionAction for matching trafficPASS | DROP | REJECT | ALERT

What this does: Creates a stateful rule group that allows web traffic (HTTP/HTTPS) from internal networks. The rule group uses variables to make maintenance easier and includes a unique SID for tracking. This is typically the first component created as it's referenced by the firewall policy.

Step 2: Create Stateless Rule Group

aws network-firewall create-rule-group \ --rule-group-name "StatelessRuleGroup-BlockBadIPs" \ --type STATELESS \ --capacity 50 \ --rule-group '{ "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "192.0.2.0/24" } ], "Protocols": [6, 17], "DestinationPorts": [ { "FromPort": 1, "ToPort": 65535 } ] }, "Actions": ["aws:drop"] }, "Priority": 1 } ] } } }' \ --region us-east-1
{ "RuleGroupResponse": { "RuleGroupArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/StatelessRuleGroup-BlockBadIPs", "RuleGroupName": "StatelessRuleGroup-BlockBadIPs", "RuleGroupId": "87654321-4321-4321-4321-210987654321", "Type": "STATELESS", "Capacity": 50, "RuleGroupStatus": "ACTIVE" }, "UpdateToken": "efgh5678-9012-34ij-klmn-opqrstuvwxyz" }
Stateless Rule Group Configuration:
ParameterDescriptionOptions
PriorityRule evaluation order1-65535 (lower = higher priority)
MatchAttributesTraffic matching criteriaSources, Destinations, Protocols, Ports
ActionsActions to take on matchaws:drop, aws:pass, aws:forward-to-sfe
ProtocolsIP protocol numbers6=TCP, 17=UDP, 1=ICMP

What this does: Creates a stateless rule group that drops traffic from known bad IP ranges. Stateless rules are processed first and provide fast, efficient filtering. This rule group blocks a specific subnet (192.0.2.0/24) commonly used for documentation/testing that shouldn't appear in production traffic.

Step 3: Create Firewall Policy

aws network-firewall create-firewall-policy \ --firewall-policy-name "ComprehensiveFirewallPolicy" \ --firewall-policy '{ "StatelessDefaultActions": ["aws:forward-to-sfe"], "StatelessFragmentDefaultActions": ["aws:forward-to-sfe"], "StatelessRuleGroupReferences": [ { "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/StatelessRuleGroup-BlockBadIPs", "Priority": 1 } ], "StatefulRuleGroupReferences": [ { "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/StatefulRuleGroup-WebTraffic" } ], "StatefulDefaultActions": ["aws:drop_strict"], "StatefulEngineOptions": { "RuleOrder": "STRICT_ORDER" } }' \ --region us-east-1
{ "FirewallPolicyResponse": { "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ComprehensiveFirewallPolicy", "FirewallPolicyName": "ComprehensiveFirewallPolicy", "FirewallPolicyId": "11111111-2222-3333-4444-555555555555", "FirewallPolicyStatus": "ACTIVE" }, "UpdateToken": "ijkl9012-3456-78mn-opqr-stuvwxyzabcd" }
Firewall Policy Configuration:
ParameterDescriptionOptions
StatelessDefaultActionsDefault action for unmatched stateless trafficaws:drop, aws:pass, aws:forward-to-sfe
StatelessFragmentDefaultActionsAction for fragmented packetsaws:drop, aws:pass, aws:forward-to-sfe
StatefulDefaultActionsDefault action for stateful engineaws:drop_strict, aws:drop_established, aws:alert_strict
RuleOrderRule evaluation orderSTRICT_ORDER | DEFAULT_ACTION_ORDER

What this does: Creates the firewall policy that orchestrates all rule groups. The policy forwards unmatched stateless traffic to the stateful engine, uses strict ordering for consistent rule evaluation, and applies a default drop action for unmatched stateful traffic. This policy references both rule groups created in previous steps.

Step 4: Create Network Firewall

aws network-firewall create-firewall \ --firewall-name "ProductionNetworkFirewall" \ --firewall-policy-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ComprehensiveFirewallPolicy" \ --vpc-id "vpc-12345678" \ --subnet-mappings SubnetId=subnet-12345678,SubnetId=subnet-87654321 \ --tags Key=Environment,Value=Production Key=Project,Value=NetworkSecurity \ --region us-east-1
{ "Firewall": { "FirewallName": "ProductionNetworkFirewall", "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/ProductionNetworkFirewall", "FirewallId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "VpcId": "vpc-12345678", "SubnetMappings": [ { "SubnetId": "subnet-12345678", "AvailabilityZone": "us-east-1a" }, { "SubnetId": "subnet-87654321", "AvailabilityZone": "us-east-1b" } ], "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ComprehensiveFirewallPolicy", "FirewallStatus": "PROVISIONING" }, "FirewallStatus": { "Status": "PROVISIONING", "ConfigurationSyncStateSummary": "IN_SYNC" }, "UpdateToken": "mnop4567-8901-23qr-stuv-wxyzabcdefgh" }
Network Firewall Configuration:
ParameterDescriptionRequirements
firewall-nameUnique firewall identifierMust be unique within region
firewall-policy-arnARN of the firewall policyMust exist and be ACTIVE
vpc-idVPC where firewall will be deployedMust exist and have available subnets
subnet-mappingsSubnets for firewall endpointsMust be in different AZs, minimum /28

What this does: Creates the actual Network Firewall resource in your VPC. The firewall will create endpoints in the specified subnets, and the status will change from PROVISIONING to READY when deployment is complete. The firewall endpoints receive ENIs that you'll use in route table configurations.

Step 5: Get Firewall Status and Endpoints

aws network-firewall describe-firewall \ --firewall-name "ProductionNetworkFirewall" \ --region us-east-1
{ "Firewall": { "FirewallName": "ProductionNetworkFirewall", "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/ProductionNetworkFirewall", "FirewallId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "VpcId": "vpc-12345678", "SubnetMappings": [ { "SubnetId": "subnet-12345678", "AvailabilityZone": "us-east-1a" }, { "SubnetId": "subnet-87654321", "AvailabilityZone": "us-east-1b" } ] }, "FirewallStatus": { "Status": "READY", "ConfigurationSyncStateSummary": "IN_SYNC", "SyncStates": { "us-east-1a": { "Attachment": { "SubnetId": "subnet-12345678", "EndpointId": "vpce-12345678901234567", "Status": "READY" } }, "us-east-1b": { "Attachment": { "SubnetId": "subnet-87654321", "EndpointId": "vpce-87654321098765432", "Status": "READY" } } } } }
Firewall Status Information:
FieldDescriptionValues
StatusOverall firewall statusPROVISIONING, DELETING, READY
ConfigurationSyncStateSummaryConfiguration sync statusIN_SYNC, PENDING, CAPACITY_CONSTRAINED
EndpointIdVPC endpoint for firewallUsed in route table destinations

What this shows: This command retrieves the firewall status and endpoint information. The EndpointId values are crucial for the next step - configuring route tables. Wait until Status shows "READY" before proceeding with route table updates.

Step 6: Configure Route Tables

# Route internet traffic through firewall endpoint in AZ-A aws ec2 create-route \ --route-table-id rtb-12345678 \ --destination-cidr-block 0.0.0.0/0 \ --vpc-endpoint-id vpce-12345678901234567 \ --region us-east-1
{ "Return": true }
# Route internet traffic through firewall endpoint in AZ-B aws ec2 create-route \ --route-table-id rtb-87654321 \ --destination-cidr-block 0.0.0.0/0 \ --vpc-endpoint-id vpce-87654321098765432 \ --region us-east-1
{ "Return": true }
# Configure firewall subnet route table to send traffic to IGW aws ec2 create-route \ --route-table-id rtb-firewall123 \ --destination-cidr-block 0.0.0.0/0 \ --gateway-id igw-12345678 \ --region us-east-1
{ "Return": true }
Route Table Configuration:
Route TypeSourceDestinationPurpose
Protected Subnets0.0.0.0/0Firewall EndpointRoute internet traffic through firewall
Firewall Subnets0.0.0.0/0Internet GatewayRoute inspected traffic to internet
IGW Route TableVPC CIDRFirewall EndpointRoute return traffic through firewall

What this does: Configures the routing to ensure all traffic flows through the Network Firewall. Protected subnets route internet-bound traffic to firewall endpoints, firewall subnets route approved traffic to the internet gateway, and the IGW route table ensures return traffic goes through the firewall for inspection.

Step 7: Enable Logging

aws network-firewall put-logging-configuration \ --firewall-name "ProductionNetworkFirewall" \ --logging-configuration '{ "LogDestinationConfigs": [ { "LogType": "FLOW", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-FlowLogs" } }, { "LogType": "ALERT", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-AlertLogs" } }, { "LogType": "FLOW", "LogDestinationType": "S3", "LogDestination": { "bucketName": "network-firewall-logs-bucket", "prefix": "flow-logs/" } } ] }' \ --region us-east-1
{ "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/ProductionNetworkFirewall", "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogType": "FLOW", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-FlowLogs" } }, { "LogType": "ALERT", "LogDestinationType": "CloudWatchLogs", "LogDestination": { "logGroup": "NetworkFirewall-AlertLogs" } }, { "LogType": "FLOW", "LogDestinationType": "S3", "LogDestination": { "bucketName": "network-firewall-logs-bucket", "prefix": "flow-logs/" } } ] } }
Logging Configuration:
Log TypeDescriptionDestination Options
FLOWConnection flow informationCloudWatchLogs, S3, KinesisDataFirehose
ALERTSecurity alerts and rule matchesCloudWatchLogs, S3, KinesisDataFirehose
TLSTLS inspection detailsCloudWatchLogs, S3, KinesisDataFirehose

What this does: Enables comprehensive logging for the Network Firewall. Flow logs capture all traffic flows for analysis and compliance, while alert logs capture security events. Using multiple destinations (CloudWatch Logs for real-time monitoring and S3 for long-term storage) provides flexibility for different use cases.

7. Monitoring and Maintenance

graph TB subgraph "Monitoring Components" subgraph "Metrics" M1[Packets Passed] M2[Packets Dropped] M3[Invalid Packets] M4[TLS Errors] end subgraph "Logs" L1[Flow Logs] L2[Alert Logs] L3[TLS Logs] end subgraph "Destinations" D1[CloudWatch Logs] D2[S3 Buckets] D3[Kinesis Data Firehose] end subgraph "Analysis" A1[CloudWatch Insights] A2[Athena Queries] A3[Custom Dashboards] end end M1 --> D1 M2 --> D1 M3 --> D1 M4 --> D1 L1 --> D1 L1 --> D2 L2 --> D1 L3 --> D3 D1 --> A1 D2 --> A2 D3 --> A3
Monitoring Architecture: Network Firewall provides comprehensive monitoring through CloudWatch metrics and configurable logging. Metrics track packet processing statistics, while logs provide detailed traffic and security information. Multiple log destinations enable different analysis approaches - CloudWatch Logs for real-time analysis, S3 for long-term storage and batch processing, and Kinesis Data Firehose for streaming analytics.

CloudWatch Metrics Commands

# Get firewall metrics for passed packets aws cloudwatch get-metric-statistics \ --namespace "AWS/NetworkFirewall" \ --metric-name "PassedPackets" \ --dimensions Name=FirewallName,Value=ProductionNetworkFirewall \ --start-time 2024-01-01T00:00:00Z \ --end-time 2024-01-01T23:59:59Z \ --period 3600 \ --statistics Sum \ --region us-east-1
{ "Label": "PassedPackets", "Datapoints": [ { "Timestamp": "2024-01-01T00:00:00Z", "Sum": 1250000.0, "Unit": "Count" }, { "Timestamp": "2024-01-01T01:00:00Z", "Sum": 1180000.0, "Unit": "Count" } ] }
# Create CloudWatch alarm for dropped packets aws cloudwatch put-metric-alarm \ --alarm-name "NetworkFirewall-HighDropRate" \ --alarm-description "Alert when firewall drops exceed threshold" \ --metric-name "DroppedPackets" \ --namespace "AWS/NetworkFirewall" \ --statistic Sum \ --period 300 \ --threshold 1000 \ --comparison-operator GreaterThanThreshold \ --evaluation-periods 2 \ --alarm-actions "arn:aws:sns:us-east-1:123456789012:network-firewall-alerts" \ --dimensions Name=FirewallName,Value=ProductionNetworkFirewall \ --region us-east-1
{ "ResponseMetadata": { "RequestId": "12345678-1234-1234-1234-123456789012" } }
Key Monitoring Metrics:
MetricDescriptionThreshold Guidance
PassedPacketsPackets allowed through firewallMonitor for baseline traffic patterns
DroppedPacketsPackets dropped by firewall rulesAlert on unusual spikes
InvalidPacketsMalformed or invalid packetsAlert on any non-zero values
TLSErrorsTLS inspection errorsAlert on sustained increases

Monitoring Strategy: Set up CloudWatch alarms to monitor key metrics and detect anomalies. Monitor both allowed and dropped traffic to understand normal patterns and identify potential security events or misconfigurations. Use SNS notifications to alert security teams of significant events.

Complete Setup Validation Checklist

  1. ✓ Rule groups created and showing ACTIVE status
  2. ✓ Firewall policy created and referencing all rule groups
  3. ✓ Network firewall deployed and showing READY status
  4. ✓ Route tables updated to direct traffic through firewall endpoints
  5. ✓ Security groups allow traffic to/from firewall subnets
  6. ✓ Logging enabled for flow, alert, and TLS logs
  7. ✓ CloudWatch alarms configured for key metrics
  8. ✓ Test traffic flows through firewall and logs are generated

AWS Network Firewall Setup Complete

This guide provides a comprehensive walkthrough of AWS Network Firewall deployment, from initial rule group creation through monitoring and maintenance. Each component builds upon the previous steps, ensuring a secure and well-monitored network security solution.