Configuring your VPC and other components for AWS Network Firewall - AWS Network Firewall
VPC subnetsVPC route tablesTransit gateway attachments

Configuring your VPC and other components for AWS Network Firewall

This section describes the changes that you must make in your VPC configuration and other components to use AWS Network Firewall. For information about managing your Amazon Virtual Private Cloud VPC, see the Amazon Virtual Private Cloud User Guide.

For examples of architectures that are supported by Network Firewall, see Architecture and routing examples.

Unsupported architectures

The following lists architectures and traffic types that Network Firewall doesn't support:

  • VPC peering.

  • Inspection of AWS Global Accelerator traffic.

  • Inspection of AmazonProvidedDNS traffic for Amazon EC2.

VPC subnet configuration for AWS Network Firewall

When you associate a firewall to your VPC, you must provide a subnet for each Availability Zone where you want to place a firewall endpoint to filter traffic. A common configuration is to have a firewall endpoint in each zone where you have customer subnets that you want to protect, but you can also have a firewall endpoint filter traffic from multiple zones. When you create the firewall, Network Firewall adds a firewall endpoint to each of the designated subnets. Each firewall endpoint uses the firewall's associated firewall policy configuration to filter traffic that you route through it.

To prepare your VPC for your Network Firewall firewall, in each Availability Zone where you want a firewall endpoint, create a subnet for the endpoint. Each subnet must have at least one IP address available. Your can't change the IP address type after you create the subnet.

Network Firewall supports up to 100 Gbps of network traffic per firewall endpoint. If you require more traffic bandwidth, you can split your resources into subnets and create a Network Firewall firewall in each subnet.

Note

Reserve these firewall subnets for the exclusive use of Network Firewall. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't place other applications in the firewall endpoint subnets.

For information about managing subnets in your VPC, see VPCs and subnets in the Amazon Virtual Private Cloud User Guide.

When you create your Network Firewall firewall, you must provide at least one zone and subnet for the firewall configuration. You can add and remove subnets after you create a firewall.

VPC route table configuration for AWS Network Firewall

After you create your firewall, you reroute your VPC network traffic through the firewall endpoints so they can start filtering traffic. Perform the following steps:

  1. Review the route table configurations in your VPC Availability Zones for the subnets that you want to protect and for any location that sends traffic to the subnets or receives traffic from them.

  2. Determine which traffic you want the firewall to filter and insert your firewall endpoints into the traffic flow. Network Firewall supports up to 100 Gbps of network traffic per firewall endpoint. Update the route tables for both directions of traffic flow, if you want to filter incoming and outgoing traffic.

For example, suppose you wanted to filter traffic that's currently routed between a customer subnet and an internet gateway. You would update your route table configuration as follows to insert a firewall endpoint into the traffic flow:

  1. Change the customer subnet route table so that it directs internet-bound traffic to the firewall endpoint.

  2. Change the internet gateway route table so that it directs traffic that's bound for the customer subnet to the firewall endpoint.

  3. Create a route table for the firewall endpoint so that it directs internet-bound traffic to the internet gateway and directs traffic that's bound for any destination inside the VPC to the destination specification local.

In this way, the firewall endpoint sits between the customer subnet and the internet gateway and can filter all incoming and outgoing traffic for the customer subnet.

For an overview of common Network Firewall architectures, with example route table configurations, see Architecture and routing examples.

For information about managing route tables for your VPC, see Route tables in the Amazon Virtual Private Cloud User Guide.

Transit gateway attachment configuration for AWS Network Firewall

This section applies to the use of Network Firewall with a transit gateway in multiple Availability Zones where the firewall endpoints might reside in different Availability Zones than the subnets whose traffic they're filtering.

Note

To use this configuration, you must enable appliance mode on the transit gateway VPC attachment for any VPC where Network Firewall endpoints reside.

A Network Firewall endpoint is a stateful network appliance. Enabling appliance mode ensures that the transit gateway continues to use the same Availability Zone for the VPC attachment over the lifetime of a flow of traffic between source and destination.

For information about VPC transit gateways, see the guide Amazon Virtual Private Cloud Transit Gateways.

For information about appliance mode and how to enable it in your attachments, see Availability Zones and Example: Appliance in a shared services VPC.