AWS Network Firewall

AWS Network Firewall (ANF) provides the customer deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS). ANF provides both stateless and stateful rule engines for traffic at the customer's VPC level with north-south and east-west traffic inspection supporting tens of thousands of rules. Customers can point the incoming traffic to the ANF endpoint with ANF located at a dedicated subnet within the VPC. ANF is powered by AWS Gateway load balancer and uses VPC inbound routing for traffic inspection. The deployment models supported are:

• Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.

• Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic. We refer to this VPC as inspection VPC throughout this blog post.

• Combined AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized inspection VPC for East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic. Internet ingress is distributed to VPCs which require dedicated inbound access from the internet and AWS Network Firewall is deployed accordingly.

The architecture is a combined AWS network firewall deployment model supporting traffic inspection for VPCs with Internet Gateway (IGW) with dedicated ANF endpoint and traffic inspection with a centralized inspection VPC for East - West traffic and an egress VPC for outbound traffic to the internet. The spoke VPC B has an ANF endpoint inspecting incoming traffic and a dedicated Inspection VPC for inspecting VPC to VPC traffic. The ANF can have set of groups with policies to inspect the traffic matching the source and destination prefixes.

Figure 28 – AWS Network Firewall – Deployment Models

For more information, see Deployment models for AWS Network Firewall.