AWS Network Firewall endpoints and quotas
The following are the service endpoints and service quotas for this service. To connect programmatically to an AWS service, you use an endpoint. In addition to the standard AWS endpoints, some AWS services offer FIPS endpoints in selected Regions. For more information, see AWS service endpoints. Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account. For more information, see AWS service quotas.
Service endpoints
Region Name | Region | Endpoint | Protocol |
---|---|---|---|
US East (Ohio) | us-east-2 |
network-firewall.us-east-2.amazonaws.com network-firewall-fips.us-east-2.amazonaws.com |
HTTPS HTTPS |
US East (N. Virginia) | us-east-1 |
network-firewall.us-east-1.amazonaws.com network-firewall-fips.us-east-1.amazonaws.com |
HTTPS HTTPS |
US West (N. California) | us-west-1 |
network-firewall.us-west-1.amazonaws.com network-firewall-fips.us-west-1.amazonaws.com |
HTTPS HTTPS |
US West (Oregon) | us-west-2 |
network-firewall.us-west-2.amazonaws.com network-firewall-fips.us-west-2.amazonaws.com |
HTTPS HTTPS |
Africa (Cape Town) | af-south-1 | network-firewall.af-south-1.amazonaws.com | HTTPS |
Asia Pacific (Hong Kong) | ap-east-1 | network-firewall.ap-east-1.amazonaws.com | HTTPS |
Asia Pacific (Hyderabad) | ap-south-2 | network-firewall.ap-south-2.amazonaws.com | HTTPS |
Asia Pacific (Jakarta) | ap-southeast-3 | network-firewall.ap-southeast-3.amazonaws.com | HTTPS |
Asia Pacific (Melbourne) | ap-southeast-4 | network-firewall.ap-southeast-4.amazonaws.com | HTTPS |
Asia Pacific (Mumbai) | ap-south-1 | network-firewall.ap-south-1.amazonaws.com | HTTPS |
Asia Pacific (Osaka) | ap-northeast-3 | network-firewall.ap-northeast-3.amazonaws.com | HTTPS |
Asia Pacific (Seoul) | ap-northeast-2 | network-firewall.ap-northeast-2.amazonaws.com | HTTPS |
Asia Pacific (Singapore) | ap-southeast-1 | network-firewall.ap-southeast-1.amazonaws.com | HTTPS |
Asia Pacific (Sydney) | ap-southeast-2 | network-firewall.ap-southeast-2.amazonaws.com | HTTPS |
Asia Pacific (Tokyo) | ap-northeast-1 | network-firewall.ap-northeast-1.amazonaws.com | HTTPS |
Canada (Central) | ca-central-1 |
network-firewall.ca-central-1.amazonaws.com network-firewall-fips.ca-central-1.amazonaws.com |
HTTPS HTTPS |
Canada West (Calgary) | ca-west-1 | network-firewall.ca-west-1.amazonaws.com | HTTPS |
Europe (Frankfurt) | eu-central-1 | network-firewall.eu-central-1.amazonaws.com | HTTPS |
Europe (Ireland) | eu-west-1 | network-firewall.eu-west-1.amazonaws.com | HTTPS |
Europe (London) | eu-west-2 | network-firewall.eu-west-2.amazonaws.com | HTTPS |
Europe (Milan) | eu-south-1 | network-firewall.eu-south-1.amazonaws.com | HTTPS |
Europe (Paris) | eu-west-3 | network-firewall.eu-west-3.amazonaws.com | HTTPS |
Europe (Spain) | eu-south-2 | network-firewall.eu-south-2.amazonaws.com | HTTPS |
Europe (Stockholm) | eu-north-1 | network-firewall.eu-north-1.amazonaws.com | HTTPS |
Europe (Zurich) | eu-central-2 | network-firewall.eu-central-2.amazonaws.com | HTTPS |
Israel (Tel Aviv) | il-central-1 | network-firewall.il-central-1.amazonaws.com | HTTPS |
Middle East (Bahrain) | me-south-1 | network-firewall.me-south-1.amazonaws.com | HTTPS |
Middle East (UAE) | me-central-1 | network-firewall.me-central-1.amazonaws.com | HTTPS |
South America (São Paulo) | sa-east-1 | network-firewall.sa-east-1.amazonaws.com | HTTPS |
AWS GovCloud (US-East) | us-gov-east-1 |
network-firewall.us-gov-east-1.amazonaws.com network-firewall-fips.us-gov-east-1.amazonaws.com |
HTTPS HTTPS |
AWS GovCloud (US-West) | us-gov-west-1 |
network-firewall.us-gov-west-1.amazonaws.com network-firewall-fips.us-gov-west-1.amazonaws.com |
HTTPS HTTPS |
Service quotas
Name | Default | Adjustable | Description |
---|---|---|---|
CA certificates per TLS configuration | Each supported Region: 1 | No | The maximum number of certificate authority (CA) certificates for a TLS inspection configuration. CA certificates are used for outbound SSL/TLS inspection. |
Firewall policies | Each supported Region: 20 |
Yes |
The maximum number of firewall policies per account per Region. |
Firewalls | Each supported Region: 5 |
Yes |
The maximum number of firewalls per account per Region. |
IP set references per Suricata compatible stateful rule group | Each supported Region: 5 | No | The maximum number of IP set references per Suricata compatible stateful rule group. |
Network traffic bandwidth per firewall endpoint | Each supported Region: 100 | No | The maximum network traffic bandwidth, in Gbps, for any firewall endpoint. If you require more traffic bandwidth, you can split your resources into subnets and create a firewall in each subnet. |
Number of firewalls that can use the same policy | Each supported Region: 1,000 | No | The maximum number of firewalls that can use the same firewall policy. |
Number of policies that can use the same rule group | Each supported Region: 1,000 | No | The maximum number of firewall policies that can use the same rule group. |
Number of policies using a TLS inspection configuration | Each supported Region: 1,000 | No | The maximum number of firewall policies that can use the same TLS inspection configuration. |
Required firewall policies per firewall | Each supported Region: 1 | No | The required number of firewall policies per firewall. |
Resource filters | Each supported Region: 50 |
Yes |
The maximum number of resource filters per account per Region. |
Server certificates per TLS configuration | Each supported Region: 10 | No | The maximum number of server certificates for a TLS inspection configuration. Server certificates are used for inbound SSL/TLS inspection. |
Stateful rule group capacity | Each supported Region: 30,000 | No | The maximum stateful rule group capacity. |
Stateful rule groups per policy | Each supported Region: 20 | No | The maximum number of stateful rule groups per firewall policy. |
Stateful rulegroups | Each supported Region: 50 |
Yes |
The maximum number of stateful rule groups per account per Region. |
Stateful rules per policy | Each supported Region: 30,000 |
Yes |
The maximum number of stateful rules per firewall policy. This is the total across all rule groups that are referenced by the policy. You can increase this up to 50,000, but higher settings might impact firewall performance. |
Stateless rule group capacity | Each supported Region: 30,000 | No | The maximum stateless rule group capacity. |
Stateless rule group custom actions | Each supported Region: 10 | No | The maximum number of custom actions per stateless rule group. |
Stateless rule groups per policy | Each supported Region: 20 | No | The maximum number of stateless rule groups per firewall policy. |
Stateless rulegroups | Each supported Region: 50 |
Yes |
The maximum number of stateless rule groups per account per Region. |
Stateless rules per policy | Each supported Region: 30,000 | No | The maximum number of stateless rules per firewall policy. This is the total across all rule groups that are referenced by the policy. |
Suricata rule character length | Each supported Region: 8,192 | No | The maximum character length of a Suricata rule. Each variable value in the rule counts toward this limit. |
Suricata rules string size | Each supported Region: 2,000,000 | No | The maximum size of a Suricata-compatible rules string for a rule group, in bytes. |
TLS configurations | Each supported Region: 20 |
Yes |
The maximum number of TLS configurations per account per Region. |
TLS inspection configurations per policy | Each supported Region: 1 | No | The maximum number of TLS inspection configurations per policy. |
For more information, see AWS Network Firewall quotas in the Network Firewall Developer Guide.