Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.2. AWS Network Firewall

AWS Network Firewall provides fully managed, scalable network intrusion prevention, web filtering, and granular traffic inspection at the VPC level, centralizing network security for enterprises.

Scenario: A large enterprise needs to implement advanced network traffic inspection, intrusion prevention, and web filtering for all traffic entering and leaving its production VPC. They want a fully managed solution that scales automatically.

For network specialists, deploying and managing traditional network firewalls can be complex and costly. AWS Network Firewall simplifies this by offering a fully managed, highly available firewall directly within your VPC.

AWS Network Firewall is a fully managed network firewall service that provides network intrusion prevention, web filtering, and granular traffic inspection for your Amazon VPCs.

Key Features of AWS Network Firewall:
  • Fully Managed: AWS manages the underlying infrastructure, scaling, and high availability of the firewall.
  • Centralized Protection: Deploy a single firewall for an entire VPC or multiple VPCs through AWS Transit Gateway (TGW).
  • Deep Packet Inspection: Inspects network traffic at multiple layers for malicious activity or policy violations.
  • Intrusion Prevention System (IPS): Detects and prevents common exploits, malware, and network-based attacks.
  • Web Filtering: Filters outbound traffic based on domain names or URL categories (e.g., block access to known malicious websites).
  • Stateful Filtering: Filters traffic based on connection state (e.g., allowing established connections).
  • Stateless Filtering: Filters traffic based on individual packets.
  • Rules Engine: Define custom firewall rules based on IP addresses, ports, protocols, domain names, and even custom content.
  • Integration with AWS Firewall Manager: Centrally manage firewall policies across multiple accounts in AWS Organizations.
Practical Implementation: Network Firewall Deployment (Conceptual)
# Network Firewall is typically deployed in a dedicated "inspection VPC" or "DMZ VPC".
# Traffic is then routed through the Network Firewall endpoints using TGW or VPC route tables.

# 1. Create a Firewall Policy
aws network-firewall create-firewall-policy \
  --firewall-policy-name MyFirewallPolicy \
  --firewall-policy '{"StatelessDefaultActions":["aws:pass"],"StatelessFragmentDefaultActions":["aws:pass"],"StatefulRuleGroupReferences":[{"ResourceArn":"arn:aws:network-firewall:us-east-1:123456789012:stateful-rule-group/MyStatefulRuleGroup"}]}'

# 2. Create a Firewall (in a specific VPC and subnets)
aws network-firewall create-firewall \
  --firewall-name MyVPCFirewall \
  --firewall-policy-arn arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/MyFirewallPolicy \
  --vpc-id vpc-0abcdef1234567890 \
  --subnet-mappings SubnetId=subnet-0a1b2c3d,SubnetId=subnet-0e4f5g6h

⚠️ Common Pitfall: Incorrectly configuring routing to direct traffic through the Network Firewall endpoints. If routes are not updated, traffic will bypass the firewall, rendering it ineffective.

Key Trade-Offs:
  • Managed Service vs. Custom Firewall Appliance: Network Firewall is fully managed, reducing operational overhead but offering less granular control over the underlying OS than a self-managed firewall appliance on EC2.

Reflection Question: How does AWS Network Firewall, by providing fully managed network intrusion prevention, web filtering, and granular traffic inspection at the VPC level, fundamentally enable centralized network security and protect resources from advanced threats?