AWS::NetworkFirewall::Firewall - AWS CloudFormation

AWS::NetworkFirewall::Firewall

Use the AWS::NetworkFirewall::Firewall to provide stateful, managed, network firewall and intrusion detection and prevention filtering for your VPCs in Amazon VPC.

The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::NetworkFirewall::Firewall", "Properties" : { "DeleteProtection" : Boolean, "Description" : String, "FirewallName" : String, "FirewallPolicyArn" : String, "FirewallPolicyChangeProtection" : Boolean, "SubnetChangeProtection" : Boolean, "SubnetMappings" : [ SubnetMapping, ... ], "Tags" : [ Tag, ... ], "VpcId" : String } }

YAML

Type: AWS::NetworkFirewall::Firewall Properties: DeleteProtection: Boolean Description: String FirewallName: String FirewallPolicyArn: String FirewallPolicyChangeProtection: Boolean SubnetChangeProtection: Boolean SubnetMappings: - SubnetMapping Tags: - Tag VpcId: String

Properties

DeleteProtection

A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.

Required: No

Type: Boolean

Update requires: No interruption

Description

A description of the firewall.

Required: No

Type: String

Pattern: ^.*$

Maximum: 512

Update requires: No interruption

FirewallName

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Required: Yes

Type: String

Pattern: ^[a-zA-Z0-9-]+$

Minimum: 1

Maximum: 128

Update requires: Replacement

FirewallPolicyArn

The Amazon Resource Name (ARN) of the firewall policy.

The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.

Required: Yes

Type: String

Pattern: ^arn:aws.*$

Minimum: 1

Maximum: 256

Update requires: No interruption

FirewallPolicyChangeProtection

A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Required: No

Type: Boolean

Update requires: No interruption

SubnetChangeProtection

A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Required: No

Type: Boolean

Update requires: No interruption

SubnetMappings

The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.

Required: Yes

Type: Array of SubnetMapping

Minimum: 1

Update requires: No interruption

Tags

An array of key-value pairs to apply to this resource.

For more information, see Tag.

Required: No

Type: Array of Tag

Update requires: No interruption

VpcId

The unique identifier of the VPC where the firewall is in use. You can't change the VPC of a firewall after you create the firewall.

Required: Yes

Type: String

Pattern: ^vpc-[0-9a-f]+$

Minimum: 1

Maximum: 128

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the firewall. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

EndpointIds

The unique IDs of the firewall endpoints for all of the subnets that you attached to the firewall. The subnets are not listed in any particular order. For example: ["us-west-2c:vpce-111122223333", "us-west-2a:vpce-987654321098", "us-west-2b:vpce-012345678901"].

FirewallArn

The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::Firewall.

FirewallId

The name of the AWS::NetworkFirewall::Firewall resource.

Examples

Create a firewall

The following shows example firewall specifications.

JSON

"SampleFirewall": { "Type": "AWS::NetworkFirewall::Firewall", "Properties": { "FirewallName": "SampleFirewallName", "FirewallPolicyArn": { "Ref": "SampleFirewallPolicy" }, "VpcId": { "Ref": "SampleVPC" }, "SubnetMappings": [ { "SubnetId": { "Ref": "SampleSubnet1" } }, { "SubnetId": { "Ref": "SampleSubnet2" } } ], "Description": "Firewall description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] }

YAML

SampleFirewall: Type: AWS::NetworkFirewall::Firewall Properties: FirewallName: SampleFirewallName FirewallPolicyArn: !Ref SampleFirewallPolicy VpcId: !Ref SampleVPC SubnetMappings: - SubnetId: !Ref SampleSubnet1 - SubnetId: !Ref SampleSubnet2 Description: Firewall description goes here Tags: - Key: Foo Value: Bar