This chapter covers AWS Network Firewall, a managed service that provides network-layer filtering and threat prevention for Amazon VPCs. For the SAA-C03 exam, this topic appears in roughly 5-8% of questions, primarily in the Secure Architectures domain (Objective 1.3). Understanding how Network Firewall differs from Security Groups and NACLs, its stateful inspection capabilities, and its integration with other AWS services is critical for designing secure network architectures.
Jump to a section
Imagine a customs house at a land border between two countries. All traffic entering or leaving the country must pass through this single checkpoint. The customs house has a set of rules: for example, no weapons, no unlicensed goods, and certain items must be inspected. When a truck arrives, a customs officer checks the truck's manifest (metadata) and decides based on the rules whether to wave it through, inspect it, or turn it away. The officer can also log every truck that passes, and can even inspect the cargo itself (not just the manifest) for malicious items. AWS Network Firewall works exactly like this: it is a stateful, managed firewall that you deploy in your VPC to inspect and filter traffic at the subnet or VPC level. It uses a rules engine that can examine packet headers (like the manifest) and even perform deep packet inspection (like opening cargo). It can log all traffic, and it can block, allow, or alert on traffic based on your policies. Just as a customs house can be bypassed if there are other roads, Network Firewall must be placed in the traffic path (via route tables) to be effective.
What is AWS Network Firewall?
AWS Network Firewall is a managed service that allows you to filter inbound and outbound traffic at the VPC or subnet level. Unlike Security Groups (stateful, host-level) and Network ACLs (stateless, subnet-level), Network Firewall provides centralized, stateful inspection with intrusion prevention capabilities (IPS). It can inspect both north-south traffic (internet-bound) and east-west traffic (between subnets) if properly placed.
Why It Exists
Traditional VPC security relies on Security Groups and NACLs. However, these have limitations: Security Groups are per-elastic network interface (ENI) and cannot inspect traffic between VPCs or provide intrusion detection. NACLs are stateless and require complex rules for bidirectional traffic. Network Firewall fills the gap for centralized, stateful, application-aware filtering that can block malicious payloads, not just based on IP/port but on content.
How It Works Internally
Network Firewall is deployed in a VPC as an endpoint (Firewall Endpoint) attached to a subnet. You create a Firewall policy that consists of rule groups. Each rule group contains ordered rules. The firewall evaluates traffic against these rules in order. It supports three rule types: - Stateful rule groups: Use Suricata-compatible rules (open-source IPS engine). They can inspect packet payloads, perform protocol detection, and track connection state. - Stateless rule groups: Simple allow/deny rules based on 5-tuple (source IP, destination IP, source port, destination port, protocol). Evaluated in order, with a default action. - Custom Suricata rules: For advanced use cases like file type blocking, signature-based detection, etc.
Traffic flow: When a packet arrives at the firewall endpoint, it first goes through stateless rule groups (if any). If allowed, it enters stateful inspection. The stateful engine tracks connections: for TCP, it monitors SYN, SYN-ACK, ACK, and FIN/RST. For UDP, it uses timeouts (default 60 seconds for short flows, 180 seconds for longer). Once a connection is established, return traffic is automatically allowed (stateful behavior). The firewall can also perform TLS inspection if configured (requires decryption).
Key Components
Firewall: Deployed in a VPC, associated with a Firewall Policy. Has a Firewall Endpoint (network interface) in a subnet.
Firewall Policy: Defines the behavior: default actions (allow or drop for stateful/stateless), rule groups, and ordering.
Rule Groups: Containers for rules. Can be stateful or stateless. You can reference AWS-managed rule groups (e.g., AWS Managed Threat Protection) or create custom.
Suricata Rules: Open-source rules format. Example: drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Potential malware"; content:"evil.exe"; sid:1000001;)
Logging: Can send logs to S3, CloudWatch Logs, or Kinesis Data Firehose. Supports alert logs (matching alert actions) and flow logs (all traffic).
Configuration and Verification
To configure: 1. Create a Firewall Policy with rule groups. 2. Create a Firewall in a VPC, specifying the VPC, subnet for the endpoint, and policy. 3. Update route tables: For traffic to pass through the firewall, you must add routes pointing to the firewall endpoint for the traffic you want to inspect. For example, to inspect internet-bound traffic, add a default route (0.0.0.0/0) pointing to the firewall endpoint instead of an Internet Gateway. 4. Verify: Use CloudWatch metrics (e.g., Packets, Bytes, Alerts) and logs. You can also use VPC Flow Logs for comparison.
Interactions with Other Technologies
Security Groups and NACLs: Network Firewall works in addition to these. You can still use SGs and NACLs for host-level and subnet-level filtering. The firewall inspects traffic after it passes the NACL (if in the same subnet) and before it reaches the SG (for inbound).
AWS WAF: For web application layer (HTTP/HTTPS) filtering, use WAF on ALB or CloudFront. Network Firewall handles network and transport layers, plus some application layer (e.g., blocking malware downloads).
AWS Shield Standard/Advanced: DDoS protection at network layer. Shield works with Network Firewall to filter volumetric attacks.
VPC Peering and Transit Gateway: Network Firewall can inspect traffic between VPCs if placed in a central inspection VPC and routes point to it.
Direct Connect and VPN: For on-premises traffic, Network Firewall can inspect traffic coming via VPN or DX if routed through the firewall.
Defaults and Timers
Stateful rule default action: Drop (unless specified otherwise).
Stateless rule default action: Drop.
Stateful connection tracking: TCP connections tracked until FIN or RST, or timeout (default 600 seconds for established TCP). For UDP, timeout 60 seconds (short flows) or 180 seconds (long flows). ICMP timeout 30 seconds.
Maximum rule groups per policy: 5 stateful (including AWS-managed) and 5 stateless.
Maximum rules per rule group: 10,000 for stateless, 10,000 for stateful (Suricata rules).
Throughput: Up to 100 Gbps per firewall (depending on instance type, but managed).
Exam-Relevant Details
Network Firewall is a stateful firewall (like Security Groups) but with intrusion prevention.
It uses Suricata rules engine.
It can inspect both inbound and outbound traffic.
It must be deployed in a dedicated subnet (firewall subnet) and route tables must direct traffic to it.
It supports TLS inspection (requires importing certificate).
Logging is optional but recommended for audit.
Pricing is based on per-hour usage and data processed.
Common Misconfigurations
Forgetting to update route tables: The firewall only sees traffic if routes point to it. Many candidates assume it automatically intercepts all traffic — it does not.
Not allowing return traffic in stateless rule groups: Because stateful rules handle return traffic automatically, but if you also use stateless rules, you must explicitly allow return traffic or set the stateless default action to "forward to stateful" which is recommended.
Overlapping rules: Rule order matters in stateless groups; stateful groups use first match.
Not considering that the firewall endpoint is a single point of failure: You can deploy multiple firewall endpoints in different AZs for high availability.
Step-by-Step Traffic Flow Example
EC2 instance in subnet A sends a packet to the internet (8.8.8.8:53).
The route table for subnet A has a default route (0.0.0.0/0) pointing to the Network Firewall endpoint.
Packet arrives at firewall endpoint. First, stateless rule groups are evaluated: e.g., a rule allows all outbound DNS. If no stateless rule matches, the stateless default action (e.g., forward to stateful) is used.
Stateful inspection: The firewall sees a new UDP flow to 8.8.8.8:53. It checks stateful rules: e.g., a rule allows outbound DNS. The packet is allowed and the flow is tracked.
The firewall forwards the packet to the Internet Gateway (since it is not the final destination).
Response packet from 8.8.8.8:53 to EC2 arrives at firewall. Because the flow is tracked, the packet is automatically allowed and forwarded to EC2.
If the response contained malicious content, a stateful rule with signature detection could drop it.
Deploy Firewall Endpoint
Create a firewall in a VPC. You specify a subnet (called the firewall subnet) where the firewall endpoint will be placed. This subnet must have a route table that does not point back to itself (to avoid loops). The firewall endpoint is an elastic network interface (ENI) with an IP address from the subnet. You can deploy multiple endpoints across AZs for HA. The firewall is associated with a firewall policy.
Configure Firewall Policy
Define the firewall policy with rule groups. Start with stateless rule groups: these are evaluated first. Typically, you set the stateless default action to 'forward to stateful' so that all traffic not matched by stateless rules goes to stateful inspection. Then add stateful rule groups: these contain Suricata rules. You can also use AWS-managed rule groups for common threats. The policy also defines default actions for stateful (allow or drop) and stateless (allow, drop, forward to stateful).
Update Route Tables
For traffic to be inspected, you must add routes in the subnet route tables pointing to the firewall endpoint. For example, to inspect internet-bound traffic, add a route 0.0.0.0/0 with target the firewall endpoint ID. For inbound traffic from the internet, you need to route traffic from the Internet Gateway to the firewall. This is done by adding a route in the Internet Gateway's route table? No, Internet Gateway itself has no route table; instead, you must use a public subnet with a route to the firewall? Actually, the typical pattern is to place the firewall in a dedicated subnet and have all other subnets route to it. For inbound, you can use a Network Load Balancer or Gateway Load Balancer to route traffic to the firewall. The exam focuses on outbound inspection primarily.
Traffic Flows Through Firewall
When an instance sends a packet, the route table directs it to the firewall endpoint. The firewall processes the packet: first stateless rules, then stateful. If allowed, the packet is forwarded to the next hop (e.g., Internet Gateway). The firewall maintains connection state. For TCP, it tracks SYN, SYN-ACK, ACK. For UDP, it uses timeouts. The firewall can also reassemble packets for deep inspection.
Logging and Monitoring
Enable logging to capture traffic metadata and alerts. You can send logs to S3, CloudWatch Logs, or Kinesis Firehose. Use CloudWatch metrics to monitor throughput and alerts. You can also enable VPC Flow Logs for additional visibility. Logs help in troubleshooting and compliance.
Scenario 1: Enterprise outbound internet filtering
A large company wants to restrict outbound traffic from its VPC to only allow HTTP/HTTPS to approved domains and block known malware. They deploy AWS Network Firewall with a stateful rule group containing domain-based rules (using Suricata's dns keyword) and signature-based rules for malware. They also use AWS Managed Threat Protection rule group. The firewall is placed in a central inspection VPC, and all other VPCs route internet-bound traffic through it via Transit Gateway. They configure logging to S3 for compliance. Common issue: if the route table is not updated, traffic bypasses the firewall. They set up CloudWatch alarms for high alert counts.
Scenario 2: Inspection of traffic between VPCs A company has multiple VPCs connected via Transit Gateway. They need to inspect east-west traffic for compliance. They deploy Network Firewall in a central inspection VPC and configure route tables in each VPC to send traffic to the firewall via Transit Gateway. They also need to ensure that return traffic is routed back through the firewall (asymmetric routing prevention). They use Gateway Load Balancer (GWLB) to distribute traffic across multiple firewall endpoints for high availability. Performance consideration: each firewall endpoint can handle up to 100 Gbps, but they deploy multiple endpoints per AZ. Misconfiguration: forgetting to add routes for return traffic can cause asymmetric routing and dropped packets.
Scenario 3: PCI DSS compliance A financial services company must meet PCI DSS requirements for network segmentation and intrusion detection. They use Network Firewall to segment the cardholder data environment (CDE) from other VPCs. They deploy the firewall in a dedicated subnet and configure strict stateless rules to only allow necessary ports between CDE and other environments. They also enable stateful inspection with Suricata rules to detect SQL injection attempts (though WAF is better for that). They log all traffic to CloudWatch Logs for audit. Common pitfall: not testing that the firewall does not break application traffic (e.g., FTP, SIP) that uses dynamic ports; they need to configure stateful rules to handle these protocols.
Objective 1.3: Secure Network Architectures – The exam tests your ability to choose the right network security service for a given scenario. For Network Firewall, expect questions that contrast it with Security Groups, NACLs, and AWS WAF.
Common Wrong Answers: 1. Choosing Security Groups instead of Network Firewall for centralized inspection: Candidates see 'stateful' and think SG is enough. But SG is per-ENI, not centralized. The exam will describe a need for centralized policy management across multiple VPCs – that's Network Firewall. 2. Choosing NACLs for stateful inspection: NACLs are stateless, so they require separate inbound and outbound rules. The exam might ask for a solution that automatically allows return traffic – that's Network Firewall or Security Groups. 3. Thinking Network Firewall replaces WAF: WAF is for HTTP/HTTPS (layer 7) while Network Firewall works at layers 3-7 but with less granularity for web attacks. The exam will ask for a solution to block SQL injection – that's WAF, not Network Firewall. 4. Assuming Network Firewall automatically intercepts all traffic: It only sees traffic that is routed to it via route tables. Many questions present a scenario where traffic is not inspected because the route table is missing.
Specific Numbers and Terms: - Default stateless action: Drop - Default stateful action: Drop - Maximum rule groups per policy: 5 stateful + 5 stateless - Maximum rules per rule group: 10,000 - Suricata rules format - TLS inspection requires a certificate - Logging destinations: S3, CloudWatch Logs, Kinesis Firehose - Pricing: per hour + per GB processed
Edge Cases: - Traffic that is not TCP/UDP/ICMP (e.g., GRE) – Network Firewall may not support all protocols. - Fragmented packets: Stateful inspection may require reassembly; if reassembly fails, packet may be dropped. - High throughput: If you need >100 Gbps, you must deploy multiple firewalls and use GWLB.
How to Eliminate Wrong Answers: - If the question mentions 'centralized' or 'policy across accounts/VPCs', eliminate SG and NACL. - If the question mentions 'intrusion prevention' or 'malware', Network Firewall is the answer (or third-party, but AWS-managed is preferred). - If the question mentions 'web application layer' or 'HTTP header inspection', choose WAF. - If the question mentions 'DDoS protection', choose Shield. - If the question mentions 'stateful filtering at subnet level', Network Firewall is correct (NACL is stateless).
AWS Network Firewall is a managed stateful firewall with intrusion prevention using Suricata rules.
It must be deployed in a dedicated subnet and traffic must be routed to it via route tables.
It supports both stateless (5-tuple) and stateful (Suricata) rule groups.
Default actions: stateless default is drop; stateful default is drop.
Maximum of 5 stateful and 5 stateless rule groups per policy.
Stateful inspection tracks TCP/UDP/ICMP flows with configurable timeouts (default TCP established 600s).
Supports TLS inspection (requires certificate import).
Logging can be sent to S3, CloudWatch Logs, or Kinesis Firehose.
Pricing based on hourly firewall usage and data processed (per GB).
For high availability, deploy firewall endpoints in multiple AZs and use Gateway Load Balancer.
These come up on the exam all the time. Here's how to tell them apart.
AWS Network Firewall
Stateful inspection with intrusion prevention (Suricata engine).
Centralized policy applied to VPC/subnet via route tables.
Supports deep packet inspection (payload).
Can inspect traffic between VPCs and to internet.
Priced per hour + per GB processed.
Security Groups
Stateful but only per ENI (host-level).
Distributed; each instance has its own SG rules.
No payload inspection; only IP/port/protocol.
Cannot inspect traffic between VPCs (unless using VPC peering with SG).
No additional cost; included with EC2.
AWS Network Firewall
Stateful (tracks connections).
Supports allow and drop rules (no deny).
Can inspect payload and use signatures.
Evaluates rules in order (first match).
Centralized but requires routing configuration.
Network ACLs
Stateless (must define both inbound and outbound rules).
Supports allow and deny rules.
No payload inspection.
Evaluates rules in number order (lowest to highest).
Applied at subnet level automatically (no routing changes).
Mistake
AWS Network Firewall automatically inspects all traffic in the VPC without any routing changes.
Correct
Network Firewall only inspects traffic that is explicitly routed to it via route tables. You must add routes in each subnet's route table pointing to the firewall endpoint. Without this, traffic bypasses the firewall.
Mistake
Network Firewall is the same as a Security Group but applied at the subnet level.
Correct
Security Groups are stateful but applied per ENI. Network Firewall is a centralized, stateful firewall with deep packet inspection and intrusion prevention. It also supports Suricata rules, which SGs do not.
Mistake
Network Firewall can replace AWS WAF for web application protection.
Correct
WAF is designed for HTTP/HTTPS traffic and can inspect headers, cookies, and body. Network Firewall can inspect payloads but is not as granular for web attacks. Use both together: Network Firewall for network-level threats, WAF for application-level.
Mistake
Network Firewall is stateless like a Network ACL.
Correct
Network Firewall supports both stateless and stateful rule groups. Its primary inspection is stateful, tracking connection state and allowing return traffic automatically. It is not stateless like NACLs.
Mistake
You can deploy Network Firewall without a dedicated subnet.
Correct
The firewall endpoint requires a dedicated subnet (firewall subnet) in the VPC. This subnet must have at least one IP address for the endpoint. You cannot deploy the firewall in an existing subnet with other resources.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Network Firewall operates at network layer (3) and transport layer (4), with some application layer (7) inspection via Suricata. It is designed for general network traffic filtering, intrusion prevention, and malware blocking. AWS WAF is specifically for HTTP/HTTPS traffic, inspecting web requests (headers, cookies, body) to block SQL injection, XSS, etc. For comprehensive security, use both: Network Firewall for network-level threats and WAF for web application attacks.
You must update route tables in each subnet to point to the firewall endpoint. For outbound internet traffic, add a default route (0.0.0.0/0) with target the firewall endpoint ID. For inbound internet traffic, you typically use a Gateway Load Balancer in front of the firewall. For east-west traffic between subnets, route from source subnet to firewall subnet, then to destination subnet. Ensure return traffic also routes through the firewall to avoid asymmetric routing.
Yes, if you configure TLS inspection. You must provide a certificate (e.g., from ACM or imported) that the firewall uses to decrypt traffic. The firewall then inspects the plaintext and re-encrypts it. This requires careful configuration and may impact performance. Without TLS inspection, the firewall can only inspect metadata (IP/port) and cannot see encrypted payloads.
For stateless rule groups, if no rule matches, the default action is taken. The default can be 'allow', 'drop', or 'forward to stateful'. The recommended default is 'forward to stateful' to allow stateful inspection. For stateful rule groups, the default action is 'drop' (unless overridden in the policy). This means if no stateful rule matches, the traffic is dropped.
Because Network Firewall is stateful, it automatically allows return traffic for established connections. When the firewall sees a new connection (e.g., SYN for TCP), it tracks the flow. Return packets (e.g., SYN-ACK) are matched to the flow and allowed without needing explicit rules. For UDP, the firewall uses timeouts (default 60 seconds after last packet) to maintain state.
Yes. To inspect traffic between VPCs, you can deploy Network Firewall in a central inspection VPC and route traffic from other VPCs through it. For VPC Peering, you need to add routes in the peer VPCs pointing to the firewall. For Transit Gateway, you can use a transit gateway route table to direct traffic to the inspection VPC. This enables centralized inspection of east-west traffic.
A single firewall endpoint can handle up to 100 Gbps of throughput. If you need more, you can deploy multiple endpoints in different AZs and use Gateway Load Balancer to distribute traffic. The actual throughput depends on the rule complexity and packet size. For most applications, 100 Gbps is sufficient, but large enterprises may need multiple endpoints.
You've just covered AWS Network Firewall — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?