Overview - AWS Network Firewall Deployment Automations for AWS Transit Gateway


AWS Network Firewall Deployment Automations for AWS Transit Gateway configures the AWS resources needed to filter network traffic. With this solution, you can inspect hundreds or thousands of Amazon VPCs and accounts in one place. This solution saves you time by automating the process of provisioning a centralized AWS Network Firewall to inspect traffic between VPCs. You can also centrally configure and manage your AWS Network Firewall, firewall policies, and rule groups.

This solution utilizes AWS Network Firewall to provide granular visibility and control of your network traffic. This allows you to accomplish network segmentation, egress domain filtering, and intrusion prevention through event-driven logging. You can enable AWS Network Firewall in your Amazon VPC environments with just a few clicks in the AWS Management Console. AWS Network Firewall automatically scales with network traffic to provide high availability protections without the need to set up or maintain the underlying infrastructure. This solution also helps you collaborate and manage the changes to the AWS Network Firewall configuration by using GitOps workflow.

This guide provides infrastructure and configuration information for planning and deploying the AWS Network Firewall Deployment Automations for AWS Transit Gateway in the AWS Cloud.


You are responsible for the cost of the AWS services used while running this solution. As of February 2021, the estimated cost for running this solution for two network firewall endpoints in two availability zones, 5 GB of traffic per day, with default settings in the US East (N. Virginia) Region is approximately $620.55 per month. This includes estimated charges for AWS CodePipeline, AWS CodeBuild, and Amazon Simple Storage Service (Amazon S3).

AWS Service Dimensions Total Cost (per month)
AWS Network Firewall (Endpoint) 2 endpoints/24 hours ($0.395/endpoint/hour) $568.80
AWS Network Firewall (data processed) 5 GB ($0.065/GB) $9.75
AWS Transit Gateway (VPC attachment) 24 hours ($0.05/hour) $36.00
AWS Transit Gateway (data processed) 10 GB ($0.02/GB) $6.00
Amazon Code Services (CodePipeline, CodeBuild, CodeCommit) Depends on number of AWS CodePipeline executions
Amazon S3 Depends on number of AWS CodePipeline executions and Network Firewall Log Activity
Total $620.55

Prices are subject to change. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

Architecture overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

AWS Network Firewall Solution for AWS Transit Gateway
      architecture on AWS

Figure 1: AWS Network Firewall Solution for AWS Transit Gateway architecture on AWS

The AWS CloudFormation template deploys an inspection VPC with a total of four subnets in randomly selected availability zones in the Region where the solution is deployed. Two of the subnets are used to create VPC Transit Gateway attachments if you provide an existing AWS Transit Gateway ID. The other two subnets are used to create AWS Network Firewall endpoints in two randomly selected availability zones. The template creates a new AWS CodeCommit repository and a default network firewall configuration that allows all traffic. The template also includes a set of examples to help you create new rule groups. You can modify the configuration package in the CodeCommit repository. This invokes the AWS CodePipeline to run the following stages:

Validation stage–AWS Network Firewall configuration is validated using AWS Network Firewall APIs with dry run mode enabled. This allows the user to find any unexpected issues before attempting an actual change. This stage also checks the JSON file structure and checks if all the referenced files in the configuration exist in the package.

Deployment stage–A new Network Firewall, Network Firewall policy, and rule groups are created in this stage. If any of the resources already exist the resources are updated. This stage also helps with detecting any changes and remediates by applying the latest configuration from the AWS CodeCommit repository. The rule groups changes will roll back to the original state if one of the rule group changes fails. The appliance mode activates for the TGW-VPC attachment to avoid asymmetric traffic. For more information, refer to Appliance in a shared services VPC.

This solution also creates Amazon VPC route tables for each availability zone with a default route destination with the target as Amazon VPC endpoint for AWS Network Firewall. A shared route table with firewall subnets is also created with default route destination with the target as the transit gateway ID. This route is only created if the transit gateway ID is provided in the AWS CloudFormation input parameters.