This chapter covers AWS Network Firewall, a managed firewall service that provides network-level protection for your Amazon Virtual Private Cloud (VPC). It is part of the Security & Compliance domain (Objective 2.3: Security and Compliance) and carries approximately 10-15% weight on the CLF-C02 exam. You will learn what problem AWS Network Firewall solves, how it works, its key features, and how it compares to other AWS firewall options. This chapter is essential for understanding how to implement perimeter security in AWS.
Jump to a section
Think of AWS Network Firewall as a dedicated, high-tech security screening system for your cloud network, similar to an airport's baggage and passenger screening. In an airport, you have a central checkpoint where all passengers and luggage must pass through before entering secure areas. The system scans bags, checks IDs, and applies rules like 'no liquids over 100ml' or 'no sharp objects'. This centralized screening is separate from the individual airline counters or gates. Similarly, AWS Network Firewall is a managed service that you deploy in a central location (your VPC) to inspect all traffic entering and leaving your cloud environment. It applies stateful rules (like checking the 'conversation' context, not just individual packets) and stateless rules (like simple allow/deny based on IP and port). Just as airport security can be upgraded with advanced scanners (e.g., CT scanners for explosives), Network Firewall offers intrusion prevention (IPS) and web filtering. The key mechanism is that all traffic must be routed through the firewall endpoint, much like all passengers must go through security before reaching gates. If you bypass security, you risk threats. Similarly, if traffic bypasses the firewall (e.g., via a direct internet gateway), it is not inspected. This analogy helps non-technical stakeholders understand the necessity of central inspection points and the difference between simple packet filtering (like a basic metal detector) and deep packet inspection (like a full-body scanner).
What is AWS Network Firewall and the Problem It Solves
AWS Network Firewall is a managed service that provides network filtering and threat prevention for your VPC. It inspects traffic at the network and application layers, allowing you to define rules that control inbound and outbound traffic. The primary problem it solves is the need for a scalable, high-availability firewall that integrates deeply with AWS networking. Without it, customers had to deploy third-party firewall appliances (e.g., from Palo Alto or Fortinet) using EC2 instances, which required manual scaling, patching, and failover management. Network Firewall is fully managed by AWS, meaning it automatically scales, is highly available (deployed across multiple Availability Zones), and requires no underlying infrastructure management.
How It Works — Walk Through the Mechanism
AWS Network Firewall operates by inspecting traffic that is routed through a firewall endpoint in your VPC. Here's the mechanism step by step:
1. Firewall Endpoint: You create a firewall endpoint in a VPC subnet. This endpoint is an elastic network interface (ENI) that acts as the inspection point. 2. Route Tables: You configure VPC route tables to direct traffic to the firewall endpoint. For example, all outbound traffic from private subnets to the internet can be routed to the firewall ENI before reaching the internet gateway. Similarly, inbound traffic from the internet can be routed through the firewall before reaching application instances. 3. Rule Groups: You define rule groups that contain firewall rules. Each rule can be either stateful or stateless: - Stateless rules: Simple allow/deny based on 5-tuple (source IP, destination IP, source port, destination port, protocol). These are processed first, in order, and can be used for fast filtering. - Stateful rules: Inspect traffic in the context of a connection (e.g., TCP session). They support advanced features like intrusion prevention (IPS), domain filtering, and protocol detection. Stateful rules are processed after stateless rules. 4. Traffic Evaluation: When a packet arrives, the firewall first checks stateless rules. If a stateless rule matches and allows or denies, the action is taken. If no stateless rule matches, the default stateless action (e.g., forward to stateful rules) is applied. Then, stateful rules are evaluated. Stateful rules can be configured with Suricata-compatible rules (an open-source IPS engine) for deep packet inspection. 5. Logging and Metrics: All traffic can be logged to Amazon S3, CloudWatch Logs, or Kinesis Data Firehose. Metrics are sent to CloudWatch for monitoring.
Key Features, Tiers, and Configuration
Managed Service: AWS handles scaling, patching, and availability. You pay only for what you use.
High Availability: The firewall is automatically deployed across multiple Availability Zones in the region.
Stateful and Stateless Rules: You can create custom rule groups or use managed rule groups provided by AWS (e.g., AWS Managed Threat Prevention, AWS Managed Domain Filtering).
Intrusion Prevention System (IPS): Using Suricata rules, you can inspect traffic for known vulnerabilities and exploits. You can choose between alert mode (log only) or drop mode (block traffic).
Web Filtering: Block traffic based on domain names (e.g., block social media sites).
Centralized Management: Using AWS Firewall Manager, you can centrally configure and apply Network Firewall policies across multiple accounts and VPCs.
Pricing: You pay per hour for each firewall endpoint (approximately $0.395/hour per endpoint) plus data processing charges ($0.065/GB for inspected traffic). There are no upfront costs.
Comparison to On-Premises or Competing Approaches
Traditional on-premises firewalls are physical appliances that sit at the network perimeter. They require manual configuration, hardware maintenance, and capacity planning. In the cloud, you can use:
Security Groups: Instance-level stateful firewalls that allow/deny traffic based on security group rules. They are free but operate at the instance level, not the network perimeter. They cannot do deep packet inspection or domain filtering.
Network ACLs: Stateless firewalls at the subnet level. They are free but stateless, meaning you must define both inbound and outbound rules. They do not support IPS or domain filtering.
Third-Party Firewall Appliances: EC2 instances running firewall software (e.g., Palo Alto VM-Series). You manage scaling, licensing, and patching. They are more flexible but require more operational overhead.
AWS WAF: Web application firewall that protects HTTP/HTTPS traffic at the application layer. It is not a network firewall; it focuses on web attacks like SQL injection and XSS.
AWS Network Firewall fills the gap between simple security groups/ACLs and full third-party appliances. It is ideal for customers who need network-layer filtering with IPS capabilities but want to avoid managing infrastructure.
When to Use AWS Network Firewall vs Alternatives
Use Network Firewall when: You need to inspect all traffic entering and leaving your VPC, require intrusion prevention, want to filter traffic based on domain names, or need to comply with regulations that mandate network-level firewalls.
Use Security Groups when: You need instance-level filtering, and you don't need deep packet inspection or network perimeter control.
Use Network ACLs when: You need a simple stateless firewall at the subnet level as an additional layer of defense.
Use AWS WAF when: You need to protect web applications from common web exploits.
Defaults and Limits
Default limit of 20 firewall policies per region (soft limit, can be increased).
Default limit of 50 rule groups per firewall policy.
Maximum stateful rule group capacity: 10,000 rules (Suricata rules).
Maximum stateless rule group capacity: 100,000 rules.
Firewall endpoint supports up to 100 Gbps throughput (varies by instance type).
CLI and CloudFormation Example
To create a Network Firewall using AWS CLI:
aws network-firewall create-firewall \
--firewall-name MyFirewall \
--firewall-policy-arn arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/MyFirewallPolicy \
--vpc-id vpc-12345678 \
--subnet-mappings SubnetId=subnet-12345678CloudFormation snippet for a firewall:
Resources:
MyFirewall:
Type: AWS::NetworkFirewall::Firewall
Properties:
FirewallName: MyFirewall
FirewallPolicyArn: !Ref MyFirewallPolicy
VpcId: !Ref VPC
SubnetMappings:
- SubnetId: !Ref SubnetCreate a Firewall Policy
First, you define a firewall policy that contains the rule groups and default actions. In the AWS Management Console, navigate to the Network Firewall service and click 'Create firewall policy'. Provide a name and description. You then attach stateless and stateful rule groups. Stateless rule groups are evaluated first; you can specify a default stateless action (e.g., forward to stateful rules, drop, or pass). Stateful rule groups are evaluated after. You can also enable Suricata-compatible IPS rules. Behind the scenes, AWS creates a policy object that is referenced by the firewall. This policy can be shared across multiple firewalls using Firewall Manager.
Create Rule Groups
Next, create rule groups that define the actual filtering rules. For stateless rule groups, you specify a priority and rules based on 5-tuple. For stateful rule groups, you can either use Suricata rules (text-based IPS rules) or domain filter rules. In the console, you can upload a Suricata rule file or manually add domain lists. AWS also provides managed rule groups (e.g., 'AWS Managed Threat Prevention') that you can subscribe to. These rule groups are updated automatically by AWS. Each rule group has a capacity limit; for stateless rules, capacity is based on the number of rules; for stateful rules, capacity is based on the complexity of Suricata rules. You must ensure your total rule group capacity does not exceed the policy limit.
Attach Rule Groups to Policy
After creating rule groups, attach them to your firewall policy. You can order stateless rule groups by priority (lower number = higher priority). Stateful rule groups are evaluated in the order they are listed. In the console, you can add rule groups to the policy and set actions (allow, drop, or alert). For stateful rule groups, you can choose 'alert' (log only) or 'drop' (block). AWS recommends using alert mode initially to test rules before enforcing drops. The policy also defines a default stateful action (e.g., 'pass' or 'drop') for traffic that does not match any stateful rule.
Create the Firewall Endpoint
Now create the firewall itself. In the console, choose 'Create firewall'. Provide a name, select the VPC, and choose the subnets where the firewall endpoint will be deployed. You must select subnets in at least two Availability Zones for high availability. The firewall will create elastic network interfaces (ENIs) in those subnets. You then associate the firewall policy you created. Behind the scenes, AWS provisions the firewall endpoints and configures them to inspect traffic. This step takes a few minutes. Once created, you cannot change the VPC; you must delete and recreate the firewall.
Update Route Tables
The final step is to route traffic through the firewall. You must update the route tables of your subnets to send traffic to the firewall ENI. For example, to inspect outbound internet traffic from private subnets, add a route in the private subnet's route table with destination 0.0.0.0/0 and target the firewall ENI. Similarly, for inbound traffic, you might route from the internet gateway to the firewall. Important: do not route traffic from the firewall's own subnet through itself (it would cause a loop). AWS provides a 'Firewall subnet' route table that you should not modify. After updating routes, traffic begins flowing through the firewall. You can verify by checking CloudWatch metrics and logs.
Scenario 1: E-commerce Company with PCI DSS Compliance
A mid-size e-commerce company hosts its web application on AWS and must comply with PCI DSS, which requires a firewall to protect cardholder data. They use AWS Network Firewall to inspect all inbound and outbound traffic. They deploy a firewall in a centralized inspection VPC (using VPC peering or Transit Gateway) to inspect traffic from multiple application VPCs. The firewall logs are sent to S3 for audit. They use managed threat prevention rules to block known malicious IPs and enable IPS to detect SQL injection attempts. Cost-wise, they pay for the firewall endpoint (approx $0.395/hour per AZ) and data processing ($0.065/GB). For high traffic (100 TB/month), data processing costs can be significant. They also use Firewall Manager to apply the same policy across all accounts. Misconfiguration: initially, they forgot to route traffic from the internet gateway to the firewall, allowing inbound traffic to bypass inspection. They fixed this by updating the internet gateway route table.
Scenario 2: Enterprise with Outbound Web Filtering
A large enterprise wants to block access to social media and malicious websites from their corporate VPC. They deploy AWS Network Firewall with a stateful domain filter rule group that blocks domains like 'facebook.com' and 'twitter.com'. They also enable Suricata rules to detect command-and-control traffic. The firewall is deployed in a shared services VPC, and all other VPCs route internet-bound traffic through it via Transit Gateway. They use CloudWatch alarms to monitor blocked traffic spikes. A common mistake: they initially used stateless rules to block IP ranges of social media sites, but IPs change frequently, so they switched to domain filtering. Cost: they pay for the firewall and data processing, but the cost is justified by reduced risk of data exfiltration.
Scenario 3: Startup with Limited Budget
A startup uses a single VPC with public and private subnets. They want basic network protection without managing a third-party appliance. They deploy Network Firewall with default settings and use AWS managed threat prevention rules. They route all outbound traffic from private subnets through the firewall. Because traffic is low (under 1 TB/month), costs are manageable (~$300/month for the firewall endpoint plus data processing). However, they made a mistake: they did not enable logging initially, so when an incident occurred, they had no logs to investigate. They quickly enabled S3 logging. They also learned that Network Firewall is not a web application firewall (WAF); for their web app, they added AWS WAF separately.
What CLF-C02 Tests on This Objective
The CLF-C02 exam tests your understanding of AWS Network Firewall as a managed network security service. Specifically, you need to know:
The purpose: network-level filtering and threat prevention for VPCs.
How it differs from Security Groups (instance-level, stateful) and Network ACLs (subnet-level, stateless).
That it supports both stateful and stateless rules, and uses Suricata for IPS.
That it is a managed service (no underlying infrastructure to manage).
That it integrates with Firewall Manager for centralized policy management.
Pricing: pay per hour per endpoint plus data processing.
Common Wrong Answers and Why Candidates Choose Them
"AWS Network Firewall replaces Security Groups." Candidates think because both are firewalls, one replaces the other. Reality: they are complementary. Security Groups are instance-level and free; Network Firewall is network-level and paid.
"It is a web application firewall (WAF)." Candidates confuse Network Firewall with AWS WAF. Both have 'firewall' in the name, but WAF protects web apps at layer 7, while Network Firewall protects networks at layers 3-4 (and some layer 7).
"It operates at the instance level." Candidates assume all firewalls work like Security Groups. Reality: Network Firewall operates at the VPC/subnet level via route table manipulation.
"It is stateless by default." Candidates misunderstand the default behavior. Reality: by default, stateless rules are evaluated first, then stateful rules. The default stateless action is 'forward to stateful rules'.
Specific Exam Terms
Suricata: The open-source IPS engine used by Network Firewall for stateful inspection.
Firewall endpoint: The ENI that traffic is routed to.
Firewall policy: A container for rule groups.
Stateless vs Stateful: Know the difference (stateless: simple 5-tuple; stateful: connection tracking, IPS).
Managed rule groups: Pre-built rule groups by AWS (e.g., 'AWS Managed Threat Prevention').
Tricky Distinctions
The exam may ask: "Which service provides network-level intrusion prevention?" Answer: AWS Network Firewall (not WAF, not Security Groups). Another tricky question: "Which service allows you to block traffic based on domain names?" Answer: Network Firewall (via stateful domain filter rules) or AWS WAF (via string match). But Network Firewall is for network traffic, WAF for HTTP.
Decision Rule for Multi-Choice
If a question asks about network-level filtering (IPs, ports, protocols) and mentions 'managed', 'scalable', 'IPS', or 'centralized', choose AWS Network Firewall. If it asks about web application attacks (SQL injection, XSS), choose AWS WAF. If it asks about instance-level filtering, choose Security Groups. If it asks about subnet-level stateless filtering, choose Network ACLs.
AWS Network Firewall is a managed service that provides network-level filtering and threat prevention for VPCs.
It supports both stateless (5-tuple) and stateful (connection tracking, Suricata IPS) rules.
It is deployed as a firewall endpoint in a VPC subnet; traffic is routed to it via route tables.
Pricing: hourly per firewall endpoint ($0.395/hour) plus data processing ($0.065/GB).
It integrates with AWS Firewall Manager for centralized policy management across accounts.
Common exam trap: confusing Network Firewall with AWS WAF or Security Groups.
For CLF-C02, know that it is used for network perimeter defense and IPS, not for web application protection.
These come up on the exam all the time. Here's how to tell them apart.
AWS Network Firewall
Managed network firewall service
Inspects traffic at VPC/subnet level
Supports stateful and stateless rules
Includes IPS and domain filtering
Paid per hour and per GB processed
Security Groups
Instance-level stateful firewall
Free to use
Only stateful (allow rules only)
No IPS or domain filtering
Automatic scaling (no configuration)
Mistake
AWS Network Firewall is the same as AWS WAF.
Correct
They are different services. Network Firewall is a network firewall (L3-L4, with some L7 for domain filtering) that inspects all traffic. AWS WAF is a web application firewall (L7) that protects HTTP/HTTPS endpoints from web exploits.
Mistake
Network Firewall replaces the need for Security Groups.
Correct
No, they are complementary. Security Groups provide instance-level stateful filtering and are free. Network Firewall provides network-level inspection and is paid. Best practice is to use both for defense in depth.
Mistake
Network Firewall is stateless only.
Correct
Network Firewall supports both stateless and stateful rules. Stateless rules are simple 5-tuple filters; stateful rules use connection tracking and can include Suricata-based intrusion prevention.
Mistake
You need to manage the underlying instances for Network Firewall.
Correct
Network Firewall is a fully managed service. AWS handles scaling, patching, and availability. You only configure rules and routing.
Mistake
Network Firewall can be used to protect on-premises networks directly.
Correct
Network Firewall inspects traffic within a VPC. To protect on-premises traffic, you would need to route traffic through a VPC (e.g., via VPN or Direct Connect) and then through the firewall.
AWS Network Firewall is a managed firewall service that inspects network traffic entering and leaving your VPC. It works by deploying a firewall endpoint (an ENI) in your VPC. You then configure route tables to send traffic to that endpoint. The firewall evaluates traffic against stateless and stateful rules you define. Stateful rules can use Suricata, an open-source IPS engine, for deep packet inspection. Logs can be sent to S3, CloudWatch, or Kinesis. For the exam, know that it is a network-level firewall, not a web application firewall.
Security Groups are instance-level stateful firewalls that are free and automatically scale. They only support allow rules and cannot perform deep packet inspection. AWS Network Firewall is a network-level firewall that inspects all traffic at the VPC perimeter. It supports both allow and deny rules, stateless and stateful inspection, and includes IPS and domain filtering. It is a paid service. For the exam, remember that they are complementary: use Security Groups for instance-level protection and Network Firewall for network-level protection.
Yes, but you must route traffic through the firewall. For example, if you have two VPCs peered, you can configure route tables in the sending VPC to send cross-VPC traffic to the firewall endpoint. Alternatively, you can use a centralized inspection VPC with Transit Gateway and route all inter-VPC traffic through that VPC's firewall. For the exam, understand that Network Firewall inspects any traffic that is routed to it, regardless of source or destination.
Suricata is an open-source intrusion detection and prevention system (IDS/IPS). In AWS Network Firewall, you can write stateful rules using Suricata syntax to inspect traffic for known threats. For example, a Suricata rule can detect SQL injection attempts or malware signatures. You can set the action to 'alert' (log) or 'drop' (block). The exam may ask about Suricata as the engine for IPS in Network Firewall.
Yes, AWS Network Firewall is designed for high availability. When you create a firewall, you must select subnets in at least two Availability Zones. AWS automatically provisions firewall endpoints in each selected subnet. If one AZ fails, traffic continues to be inspected in the other AZ. There is no manual failover configuration needed. For the exam, remember that high availability is built-in by deploying across multiple AZs.
You pay an hourly fee per firewall endpoint (currently $0.395/hour) and a data processing fee per GB of traffic inspected (currently $0.065/GB). There are no upfront costs or minimum commitments. If you deploy in two AZs, you pay for two endpoints. For the exam, know that pricing is based on endpoint hours and data volume, and that it is more expensive than security groups (which are free) but cheaper than managing third-party appliances.
Yes, AWS Firewall Manager supports AWS Network Firewall. You can create a Firewall Manager policy that defines a Network Firewall configuration and applies it across multiple accounts and VPCs in your organization. This centralizes management and ensures consistent security policies. For the exam, know that Firewall Manager is used for centrally managing firewall rules across accounts.
You've just covered AWS Network Firewall — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?