To install and use an AWS Network Firewall firewall in your Amazon Virtual Private Cloud VPC, you configure the firewall components and your VPC's subnets and route tables in the following high-level steps.
-
Configure the VPC subnets for your firewall endpoints – In your VPC, in each Availability Zone where you want a firewall endpoint, create a subnet specifically for use by Network Firewall. A firewall endpoint can't protect applications that run in the same subnet, so reserve these subnets for exclusive use by the firewall. The subnets that you use for your firewall endpoints must belong to a single AWS Region and must be in different Availability Zones within the Region. Network Firewall is available in the Regions listed at AWS service endpoints.
For information about managing subnets in your VPC, see VPCs and subnets in the Amazon Virtual Private Cloud User Guide.
-
Create the firewall – Create a Network Firewall firewall and provide it with the specifications for each of your firewall subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, available to monitor and protect the resources for the subnets whose traffic you send through it.
-
Configure the firewall policy – Define the firewall policy for your firewall by specifying its rule groups and other behavior that you want the firewall to provide.
-
Modify your VPC route tables to include the firewall – Using Amazon VPC ingress routing enhancements, change your routing tables to route traffic through the Network Firewall firewall. These changes must insert the firewall between the subnets that you want to protect and outside locations. The exact routing that you need to do depends on your architecture and its components.
For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.
