Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand

 ✕

Amazon Network Firewall Features

Overview

Amazon Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be setup with just a few clicks and scales automatically with your network traffic, so you don't have to worry about deploying and managing any infrastructure. Amazon Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by Amazon Web Services partners. Amazon Network Firewall works together with Amazon Firewall Manager so you can build policies based on Amazon Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

Network Firewall Features

High availability and automated scaling

High availability and automated scalingAmazon Network Firewall offers built-in redundancies to ensure all traffic is consistently inspected and monitored. Amazon Network Firewall offers a Service Level Agreement with an uptime commitment of 99.99%. Amazon Network Firewall enables you to automatically scale your firewall capacity up or down based on the traffic load to maintain steady, predictable performance to minimize costs.

Stateful firewall

The stateful firewall takes into account the context of traffic flows for more granular policy enforcement, such as dropping packets based on the source address or protocol type. The match criteria for this stateful firewall is the same as Amazon Network Firewall’s stateless inspection capabilities, with the addition of a match setting for traffic direction. Amazon Network Firewall’s flexible rule engine gives you the ability to write thousands of firewall rules based on source/destination IP, source/destination port, and protocol. Amazon Network Firewall will filter common protocols without any port specification, not just TCP/UDP traffic filtering.

Web filtering

Amazon Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, Amazon Network Firewall can filter fully qualified domain names (FQDN).

Intrusion prevention

Amazon Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection with real-time network and application layer protections against vulnerability exploits and brute force attacks. Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies.

Alert and flow logs

Alert logs are rule specific and provide additional data regarding the rule that was triggered and the particular session that triggered it. Flow logs provide state information about all traffic flows that pass through the firewall, with one line per direction. Amazon Network Firewall flow logs can be natively stored in Amazon S3, Amazon Kinesis, and Amazon CloudWatch.

Central management and visibility

Amazon Firewall Manager is a security management service that enables you to centrally deploy and manage security policies across your applications, VPCs, and accounts in Amazon Organizations. Amazon Firewall Manager can organize Amazon Network Firewall rules groups into policies that you can deploy across your infrastructure to help you scale enforcement in a consistent, hierarchical manner. Amazon Firewall Manager provides an aggregated view of policy compliance across accounts and automates the remediation process. As new accounts, resources, and network components are created, Firewall Manager makes it easy to bring them into compliance by enforcing a common set of firewall policies.

Rule management and customization

Amazon Network Firewall enables customers to run Suricata-compatible rules sourced internally, from in-house custom rule development or externally, from third party vendors or open source platforms.

Inspect encrypted traffic

Amazon Network Firewall supports Transport Layer Security (TLS) inspection, allowing customers to strengthen their security posture on Amazon Web Services Cloud by improving visibility into encrypted traffic flows. You can use Amazon Network Firewall to decrypt TLS sessions and inspect both inbound and outbound Amazon Virtual Private Cloud (VPC) traffic without the need to deploy or manage any additional network security infrastructure. Encryption and decryption happen on the same firewall instance natively, so traffic does not cross any network boundaries.