AWS Network Firewall endpoints and quotas - AWS General Reference

AWS Network Firewall endpoints and quotas

The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.

Service endpoints

Region Name Region Endpoint Protocol
US East (Ohio) us-east-2

network-firewall.us-east-2.amazonaws.com

network-firewall-fips.us-east-2.amazonaws.com

HTTPS

HTTPS

US East (N. Virginia) us-east-1

network-firewall.us-east-1.amazonaws.com

network-firewall-fips.us-east-1.amazonaws.com

HTTPS

HTTPS

US West (N. California) us-west-1

network-firewall.us-west-1.amazonaws.com

network-firewall-fips.us-west-1.amazonaws.com

HTTPS

HTTPS

US West (Oregon) us-west-2

network-firewall.us-west-2.amazonaws.com

network-firewall-fips.us-west-2.amazonaws.com

HTTPS

HTTPS

Africa (Cape Town) af-south-1 network-firewall.af-south-1.amazonaws.com HTTPS
Asia Pacific (Hong Kong) ap-east-1 network-firewall.ap-east-1.amazonaws.com HTTPS
Asia Pacific (Hyderabad) ap-south-2 network-firewall.ap-south-2.amazonaws.com HTTPS
Asia Pacific (Jakarta) ap-southeast-3 network-firewall.ap-southeast-3.amazonaws.com HTTPS
Asia Pacific (Melbourne) ap-southeast-4 network-firewall.ap-southeast-4.amazonaws.com HTTPS
Asia Pacific (Mumbai) ap-south-1 network-firewall.ap-south-1.amazonaws.com HTTPS
Asia Pacific (Osaka) ap-northeast-3 network-firewall.ap-northeast-3.amazonaws.com HTTPS
Asia Pacific (Seoul) ap-northeast-2 network-firewall.ap-northeast-2.amazonaws.com HTTPS
Asia Pacific (Singapore) ap-southeast-1 network-firewall.ap-southeast-1.amazonaws.com HTTPS
Asia Pacific (Sydney) ap-southeast-2 network-firewall.ap-southeast-2.amazonaws.com HTTPS
Asia Pacific (Tokyo) ap-northeast-1 network-firewall.ap-northeast-1.amazonaws.com HTTPS
Canada (Central) ca-central-1

network-firewall.ca-central-1.amazonaws.com

network-firewall-fips.ca-central-1.amazonaws.com

HTTPS

HTTPS

Canada West (Calgary) ca-west-1 network-firewall.ca-west-1.amazonaws.com HTTPS
Europe (Frankfurt) eu-central-1 network-firewall.eu-central-1.amazonaws.com HTTPS
Europe (Ireland) eu-west-1 network-firewall.eu-west-1.amazonaws.com HTTPS
Europe (London) eu-west-2 network-firewall.eu-west-2.amazonaws.com HTTPS
Europe (Milan) eu-south-1 network-firewall.eu-south-1.amazonaws.com HTTPS
Europe (Paris) eu-west-3 network-firewall.eu-west-3.amazonaws.com HTTPS
Europe (Spain) eu-south-2 network-firewall.eu-south-2.amazonaws.com HTTPS
Europe (Stockholm) eu-north-1 network-firewall.eu-north-1.amazonaws.com HTTPS
Europe (Zurich) eu-central-2 network-firewall.eu-central-2.amazonaws.com HTTPS
Israel (Tel Aviv) il-central-1 network-firewall.il-central-1.amazonaws.com HTTPS
Middle East (Bahrain) me-south-1 network-firewall.me-south-1.amazonaws.com HTTPS
Middle East (UAE) me-central-1 network-firewall.me-central-1.amazonaws.com HTTPS
South America (São Paulo) sa-east-1 network-firewall.sa-east-1.amazonaws.com HTTPS
AWS GovCloud (US-East) us-gov-east-1

network-firewall.us-gov-east-1.amazonaws.com

network-firewall-fips.us-gov-east-1.amazonaws.com

HTTPS

HTTPS

AWS GovCloud (US-West) us-gov-west-1

network-firewall.us-gov-west-1.amazonaws.com

network-firewall-fips.us-gov-west-1.amazonaws.com

HTTPS

HTTPS

Service quotas

Name Default Adjustable Description
CA certificates per TLS configuration Each supported Region: 1 No The maximum number of certificate authority (CA) certificates for a TLS inspection configuration. CA certificates are used for outbound SSL/TLS inspection.
Firewall policies Each supported Region: 20 Yes The maximum number of firewall policies per account per Region.
Firewalls Each supported Region: 5 Yes The maximum number of firewalls per account per Region.
IP set references per Suricata compatible stateful rule group Each supported Region: 5 No The maximum number of IP set references per Suricata compatible stateful rule group.
Network traffic bandwidth per firewall endpoint Each supported Region: 100 No The maximum network traffic bandwidth, in Gbps, for any firewall endpoint. If you require more traffic bandwidth, you can split your resources into subnets and create a firewall in each subnet.
Number of firewalls that can use the same policy Each supported Region: 1,000 No The maximum number of firewalls that can use the same firewall policy.
Number of policies that can use the same rule group Each supported Region: 1,000 No The maximum number of firewall policies that can use the same rule group.
Number of policies using a TLS inspection configuration Each supported Region: 1,000 No The maximum number of firewall policies that can use the same TLS inspection configuration.
Required firewall policies per firewall Each supported Region: 1 No The required number of firewall policies per firewall.
Resource filters Each supported Region: 50 Yes The maximum number of resource filters per account per Region.
Server certificates per TLS configuration Each supported Region: 10 No The maximum number of server certificates for a TLS inspection configuration. Server certificates are used for inbound SSL/TLS inspection.
Stateful rule group capacity Each supported Region: 30,000 No The maximum stateful rule group capacity.
Stateful rule groups per policy Each supported Region: 20 No The maximum number of stateful rule groups per firewall policy.
Stateful rulegroups Each supported Region: 50 Yes The maximum number of stateful rule groups per account per Region.
Stateful rules per policy Each supported Region: 30,000 Yes The maximum number of stateful rules per firewall policy. This is the total across all rule groups that are referenced by the policy. You can increase this up to 50,000, but higher settings might impact firewall performance.
Stateless rule group capacity Each supported Region: 30,000 No The maximum stateless rule group capacity.
Stateless rule group custom actions Each supported Region: 10 No The maximum number of custom actions per stateless rule group.
Stateless rule groups per policy Each supported Region: 20 No The maximum number of stateless rule groups per firewall policy.
Stateless rulegroups Each supported Region: 50 Yes The maximum number of stateless rule groups per account per Region.
Stateless rules per policy Each supported Region: 30,000 No The maximum number of stateless rules per firewall policy. This is the total across all rule groups that are referenced by the policy.
Suricata rule character length Each supported Region: 8,192 No The maximum character length of a Suricata rule. Each variable value in the rule counts toward this limit.
Suricata rules string size Each supported Region: 2,000,000 No The maximum size of a Suricata-compatible rules string for a rule group, in bytes.
TLS configurations Each supported Region: 20 Yes The maximum number of TLS configurations per account per Region.
TLS inspection configurations per policy Each supported Region: 1 No The maximum number of TLS inspection configurations per policy.

For more information, see AWS Network Firewall quotas in the Network Firewall Developer Guide.