3.1.2. AWS Network Firewall

First Principle: AWS Network Firewall provides fully managed, scalable network intrusion prevention, web filtering, and granular traffic inspection at the VPC level, centralizing network security for enterprises.

For security specialists, deploying and managing traditional network firewalls can be complex and costly. AWS Network Firewall simplifies this by offering a fully managed, highly available firewall directly within your VPC.

AWS Network Firewall is a fully managed network firewall service that provides network intrusion prevention, web filtering, and granular traffic inspection for your Amazon VPCs.

Key Features of AWS Network Firewall:
  • Fully Managed: AWS manages the underlying infrastructure, scaling, and high availability of the firewall.
  • Centralized Protection: Deploy a single firewall for an entire VPC or multiple VPCs through AWS Transit Gateway (TGW).
  • Deep Packet Inspection (DPI): Inspects network traffic at multiple layers for malicious activity or policy violations (e.g., SQL injection attempts on non-web ports).
  • Intrusion Prevention System (IPS): Detects and prevents common exploits, malware, and network-based attacks.
  • Web Filtering: Filters outbound traffic based on domain names or URL categories (e.g., block access to known malicious websites, enforce acceptable use policies).
  • Stateful Filtering: Filters traffic based on connection state (e.g., allowing established connections).
  • Stateless Filtering: Filters traffic based on individual packets.
  • Rules Engine: Define custom firewall rules based on IP addresses, ports, protocols, domain names, and even custom content.
  • Integration with AWS Firewall Manager: Centrally manage firewall policies across multiple accounts in AWS Organizations.

Scenario: A large enterprise needs to implement advanced network traffic inspection, intrusion prevention, and web filtering for all traffic entering and leaving its production VPC. They want a fully managed solution that scales automatically and centralizes protection.

Reflection Question: How does AWS Network Firewall, by providing fully managed network intrusion prevention, web filtering, and granular traffic inspection at the VPC level, fundamentally enable centralized network security and protect resources from advanced threats?