Skip to content

/AWS1/IF_NWF=>CREATEFIREWALL()

About CreateFirewall

Creates an Network Firewall Firewall and accompanying FirewallStatus for a VPC.

The firewall defines the configuration settings for an Network Firewall firewall. The settings that you can define at creation include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.

After you create a firewall, you can provide additional settings, like the logging configuration.

To update the settings for a firewall, you use the operations that apply to the settings themselves, for example UpdateLoggingConfiguration, AssociateSubnets, and UpdateFirewallDeleteProtection.

To manage a firewall's tags, use the standard Amazon Web Services resource tagging operations, ListTagsForResource, TagResource, and UntagResource.

To retrieve information about firewalls, use ListFirewalls and DescribeFirewall.

To generate a report on the last 30 days of traffic monitored by a firewall, use StartAnalysisReport.

Method Signature

IMPORTING

Required arguments:

iv_firewallname TYPE /AWS1/NWFRESOURCENAME /AWS1/NWFRESOURCENAME

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

iv_firewallpolicyarn TYPE /AWS1/NWFRESOURCEARN /AWS1/NWFRESOURCEARN

The Amazon Resource Name (ARN) of the FirewallPolicy that you want to use for the firewall.

Optional arguments:

iv_vpcid TYPE /AWS1/NWFVPCID /AWS1/NWFVPCID

The unique identifier of the VPC where Network Firewall should create the firewall.

You can't change this setting after you create the firewall.

it_subnetmappings TYPE /AWS1/CL_NWFSUBNETMAPPING=>TT_SUBNETMAPPINGS TT_SUBNETMAPPINGS

The public subnets to use for your Network Firewall firewalls. Each subnet must belong to a different Availability Zone in the VPC. Network Firewall creates a firewall endpoint in each subnet.

iv_deleteprotection TYPE /AWS1/NWFBOOLEAN /AWS1/NWFBOOLEAN

A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.

iv_subnetchangeprotection TYPE /AWS1/NWFBOOLEAN /AWS1/NWFBOOLEAN

A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

iv_firewallplychangeprotec00 TYPE /AWS1/NWFBOOLEAN /AWS1/NWFBOOLEAN

A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

iv_description TYPE /AWS1/NWFDESCRIPTION /AWS1/NWFDESCRIPTION

A description of the firewall.

it_tags TYPE /AWS1/CL_NWFTAG=>TT_TAGLIST TT_TAGLIST

The key:value pairs to associate with the resource.

io_encryptionconfiguration TYPE REF TO /AWS1/CL_NWFENCRYPTIONCONF /AWS1/CL_NWFENCRYPTIONCONF

A complex type that contains settings for encryption of your firewall resources.

it_enabledanalysistypes TYPE /AWS1/CL_NWFENABLEDALYTYPES_W=>TT_ENABLEDANALYSISTYPES TT_ENABLEDANALYSISTYPES

An optional setting indicating the specific traffic analysis types to enable on the firewall.

iv_transitgatewayid TYPE /AWS1/NWFTRANSITGATEWAYID /AWS1/NWFTRANSITGATEWAYID

Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through Resource Access Manager.

After creating the firewall, you cannot change the transit gateway association. To use a different transit gateway, you must create a new firewall.

For information about creating firewalls, see CreateFirewall. For specific guidance about transit gateway-attached firewalls, see Considerations for transit gateway-attached firewalls in the Network Firewall Developer Guide.

it_availabilityzonemappings TYPE /AWS1/CL_NWFAZMAPPING=>TT_AVAILABILITYZONEMAPPINGS TT_AVAILABILITYZONEMAPPINGS

Required. The Availability Zones where you want to create firewall endpoints for a transit gateway-attached firewall. You must specify at least one Availability Zone. Consider enabling the firewall in every Availability Zone where you have workloads to maintain Availability Zone isolation.

You can modify Availability Zones later using AssociateAvailabilityZones or DisassociateAvailabilityZones, but this may briefly disrupt traffic. The AvailabilityZoneChangeProtection setting controls whether you can make these modifications.

iv_azchangeprotection TYPE /AWS1/NWFBOOLEAN /AWS1/NWFBOOLEAN

Optional. A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to TRUE, you cannot add or remove Availability Zones without first disabling this protection using UpdateAvailabilityZoneChangeProtection.

Default value: FALSE

RETURNING

oo_output TYPE REF TO /aws1/cl_nwfcreatefirewallrsp /AWS1/CL_NWFCREATEFIREWALLRSP

Domain /AWS1/RT_ACCOUNT_ID
Primitive Type NUMC

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->/aws1/if_nwf~createfirewall(
  io_encryptionconfiguration = new /aws1/cl_nwfencryptionconf(
    iv_keyid = |string|
    iv_type = |string|
  )
  it_availabilityzonemappings = VALUE /aws1/cl_nwfazmapping=>tt_availabilityzonemappings(
    ( new /aws1/cl_nwfazmapping( |string| ) )
  )
  it_enabledanalysistypes = VALUE /aws1/cl_nwfenabledalytypes_w=>tt_enabledanalysistypes(
    ( new /aws1/cl_nwfenabledalytypes_w( |string| ) )
  )
  it_subnetmappings = VALUE /aws1/cl_nwfsubnetmapping=>tt_subnetmappings(
    (
      new /aws1/cl_nwfsubnetmapping(
        iv_ipaddresstype = |string|
        iv_subnetid = |string|
      )
    )
  )
  it_tags = VALUE /aws1/cl_nwftag=>tt_taglist(
    (
      new /aws1/cl_nwftag(
        iv_key = |string|
        iv_value = |string|
      )
    )
  )
  iv_azchangeprotection = ABAP_TRUE
  iv_deleteprotection = ABAP_TRUE
  iv_description = |string|
  iv_firewallname = |string|
  iv_firewallplychangeprotec00 = ABAP_TRUE
  iv_firewallpolicyarn = |string|
  iv_subnetchangeprotection = ABAP_TRUE
  iv_transitgatewayid = |string|
  iv_vpcid = |string|
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lo_firewall = lo_result->get_firewall( ).
  IF lo_firewall IS NOT INITIAL.
    lv_resourcename = lo_firewall->get_firewallname( ).
    lv_resourcearn = lo_firewall->get_firewallarn( ).
    lv_resourcearn = lo_firewall->get_firewallpolicyarn( ).
    lv_vpcid = lo_firewall->get_vpcid( ).
    LOOP AT lo_firewall->get_subnetmappings( ) into lo_row.
      lo_row_1 = lo_row.
      IF lo_row_1 IS NOT INITIAL.
        lv_collectionmember_string = lo_row_1->get_subnetid( ).
        lv_ipaddresstype = lo_row_1->get_ipaddresstype( ).
      ENDIF.
    ENDLOOP.
    lv_boolean = lo_firewall->get_deleteprotection( ).
    lv_boolean = lo_firewall->get_subnetchangeprotection( ).
    lv_boolean = lo_firewall->get_firewallplychangeprote00( ).
    lv_description = lo_firewall->get_description( ).
    lv_resourceid = lo_firewall->get_firewallid( ).
    LOOP AT lo_firewall->get_tags( ) into lo_row_2.
      lo_row_3 = lo_row_2.
      IF lo_row_3 IS NOT INITIAL.
        lv_tagkey = lo_row_3->get_key( ).
        lv_tagvalue = lo_row_3->get_value( ).
      ENDIF.
    ENDLOOP.
    lo_encryptionconfiguration = lo_firewall->get_encryptionconfiguration( ).
    IF lo_encryptionconfiguration IS NOT INITIAL.
      lv_keyid = lo_encryptionconfiguration->get_keyid( ).
      lv_encryptiontype = lo_encryptionconfiguration->get_type( ).
    ENDIF.
    lv_numberofassociations = lo_firewall->get_numberofassociations( ).
    LOOP AT lo_firewall->get_enabledanalysistypes( ) into lo_row_4.
      lo_row_5 = lo_row_4.
      IF lo_row_5 IS NOT INITIAL.
        lv_enabledanalysistype = lo_row_5->get_value( ).
      ENDIF.
    ENDLOOP.
    lv_transitgatewayid = lo_firewall->get_transitgatewayid( ).
    lv_awsaccountid = lo_firewall->get_tgwowneraccountid( ).
    LOOP AT lo_firewall->get_availabilityzonemappings( ) into lo_row_6.
      lo_row_7 = lo_row_6.
      IF lo_row_7 IS NOT INITIAL.
        lv_availabilityzonemapping = lo_row_7->get_availabilityzone( ).
      ENDIF.
    ENDLOOP.
    lv_boolean = lo_firewall->get_azchangeprotection( ).
  ENDIF.
  lo_firewallstatus = lo_result->get_firewallstatus( ).
  IF lo_firewallstatus IS NOT INITIAL.
    lv_firewallstatusvalue = lo_firewallstatus->get_status( ).
    lv_configurationsyncstate = lo_firewallstatus->get_confsyncstatesummary( ).
    LOOP AT lo_firewallstatus->get_syncstates( ) into ls_row_8.
      lv_key = ls_row_8-key.
      lo_value = ls_row_8-value.
      IF lo_value IS NOT INITIAL.
        lo_attachment = lo_value->get_attachment( ).
        IF lo_attachment IS NOT INITIAL.
          lv_azsubnet = lo_attachment->get_subnetid( ).
          lv_endpointid = lo_attachment->get_endpointid( ).
          lv_attachmentstatus = lo_attachment->get_status( ).
          lv_statusmessage = lo_attachment->get_statusmessage( ).
        ENDIF.
        LOOP AT lo_value->get_config( ) into ls_row_9.
          lv_key_1 = ls_row_9-key.
          lo_value_1 = ls_row_9-value.
          IF lo_value_1 IS NOT INITIAL.
            lv_perobjectsyncstatus = lo_value_1->get_syncstatus( ).
            lv_updatetoken = lo_value_1->get_updatetoken( ).
          ENDIF.
        ENDLOOP.
      ENDIF.
    ENDLOOP.
    lo_capacityusagesummary = lo_firewallstatus->get_capacityusagesummary( ).
    IF lo_capacityusagesummary IS NOT INITIAL.
      lo_cidrsummary = lo_capacityusagesummary->get_cidrs( ).
      IF lo_cidrsummary IS NOT INITIAL.
        lv_cidrcount = lo_cidrsummary->get_availablecidrcount( ).
        lv_cidrcount = lo_cidrsummary->get_utilizedcidrcount( ).
        LOOP AT lo_cidrsummary->get_ipsetreferences( ) into ls_row_10.
          lv_key_2 = ls_row_10-key.
          lo_value_2 = ls_row_10-value.
          IF lo_value_2 IS NOT INITIAL.
            lv_cidrcount = lo_value_2->get_resolvedcidrcount( ).
          ENDIF.
        ENDLOOP.
      ENDIF.
    ENDIF.
    lo_transitgatewayattachmen = lo_firewallstatus->get_tgwattachmentsyncstate( ).
    IF lo_transitgatewayattachmen IS NOT INITIAL.
      lv_attachmentid = lo_transitgatewayattachmen->get_attachmentid( ).
      lv_transitgatewayattachmen_1 = lo_transitgatewayattachmen->get_tgwattachmentstatus( ).
      lv_transitgatewayattachmen_2 = lo_transitgatewayattachmen->get_statusmessage( ).
    ENDIF.
  ENDIF.
ENDIF.