Skip to content

API for AWS Network Firewall

ABAP Package /AWS1/API_NWF_IMPL
ABAP SDK "TLA" NWF
ABAP Interface /AWS1/IF_NWF

The "TLA" is a Three Letter Abbreviation that appears in ABAP class names, data dictionary objects and other ABAP objects throughout the AWS SDK for SAP ABAP. The TLA for AWS Network Firewall is NWF. This TLA helps squeeze ABAP objects into the 30-character length limit of the ABAP data dictionary.

Installation

To install the AWS SDK for SAP ABAP, import the Core transport, along with the transport for the Network Firewall module and other API modules you are interested in. A few modules are included in the Core transport itself. For more information, see the Developer Guide guide.

About The Service

This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.

  • The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see Amazon Web Services APIs.

    To access Network Firewall using the REST API endpoint: https://network-firewall..amazonaws.com

  • Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.

  • For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the Network Firewall Developer Guide.

Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 6.0.9. For information about Suricata, see the Suricata website.

You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:

  • Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.

  • Use custom lists of known bad domains to limit the types of domain names that your applications can access.

  • Perform deep packet inspection on traffic entering or leaving your VPC.

  • Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.

To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see Amazon VPC User Guide.

To start using Network Firewall, do the following:

  1. (Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.

  2. In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.

  3. In Network Firewall, create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.

  4. In Network Firewall, create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.

  5. In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.

  6. In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.

Using the SDK

In your code, create a client using the SDK module for AWS Network Firewall, which is created with factory method /AWS1/CL_NWF_FACTORY=>create(). In this example we will assume you have configured an SDK profile in transaction /AWS1/IMG called ZFINANCE.

DATA(go_session)   = /aws1/cl_rt_session_aws=>create( 'ZFINANCE' ).
DATA(go_nwf)       = /aws1/cl_nwf_factory=>create( go_session ).

Your variable go_nwf is an instance of /AWS1/IF_NWF, and all of the operations in the AWS Network Firewall service are accessed by calling methods in /AWS1/IF_NWF.

API Operations

For an overview of ABAP method calls corresponding to API operations in AWS Network Firewall, see the Operation List.

Factory Method

/AWS1/CL_NWF_FACTORY=>create( )

Creates an object of type /AWS1/IF_NWF.

IMPORTING

Optional arguments:

IV_PROTOCOL TYPE /AWS1/RT_PROTOCOL

IO_SESSION TYPE REF TO /AWS1/CL_RT_SESSION_BASE

IV_REGION TYPE /AWS1/RT_REGION_ID

IV_CUSTOM_ENDPOINT TYPE /AWS1/RT_ENDPOINT

RETURNING

OO_CLIENT TYPE REF TO /AWS1/IF_NWF

/AWS1/IF_NWF represents the ABAP client for the Network Firewall service, representing each operation as a method call. For more information see the API Page page.

Configuring Programmatically

DATA(lo_config) = DATA(go_nwf)->get_config( ).

lo_config is a variable of type /AWS1/CL_NWF_CONFIG. See the documentation for /AWS1/CL_NWF_CONFIG for details on the settings that can be configured.

Paginators

Paginators for AWS Network Firewall can be created via get_paginator() which returns a paginator object of type /AWS1/IF_NWF_PAGINATOR. The operation method that is being paginated is called using the paginator object, which accepts any necessary parameters to provide to the underlying API operation. This returns an iterator object which can be used to iterate over paginated results using has_next() and get_next() methods.

Details about the paginator methods available for service AWS Network Firewall can be found in interface /AWS1/IF_NWF_PAGINATOR.