Automate the process of provisioning a centralized AWS Network Firewall to inspect traffic between your Amazon VPCs

Publication date: February 2021 (last update: July 2024)

Centralized Network Inspection on AWS configures the Amazon Web Services (AWS) resources needed to filter network traffic. With this solution, you can inspect hundreds or thousands of Amazon Virtual Private Cloud (Amazon VPC) environments and accounts in one place. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between VPCs. You can also centrally configure and manage your firewall, firewall policies, and rule groups.

This solution uses Network Firewall to provide granular visibility and control of your network traffic. This allows you to accomplish network segmentation, egress domain filtering, and intrusion prevention through event-driven logging. You can use Network Firewall to filter network traffic at the perimeter of your VPCs. Network Firewall automatically scales with network traffic to provide high availability protections without the need to set up or maintain the underlying infrastructure. This solution also helps you collaborate and manage the changes to the Network Firewall configuration by using a GitOps workflow.

This implementation guide provides an overview of the Centralized Network Inspection on AWS solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the AWS Cloud.

The intended audience for using this solution's features and capabilities in their environment includes solution architects, DevOps engineers, security engineers, and cloud professionals.

Use this navigation table to quickly find answers to these questions:

If you want to . . .	Read . . .
Know the cost for running this solution. The estimated cost for running this solution in the US East (N. Virginia) Region is USD $620.55 per month for AWS resources.	Cost
Understand the security considerations for this solution.	Security
Know how to plan for quotas for this solution.	Quotas
Know which AWS Regions support this solution.	Supported AWS Regions
View or download the AWS CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution.	AWS CloudFormation template
Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution.	GitHub repository

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture overview