This chapter covers AWS Network Firewall, a managed firewall service that provides network-level filtering and intrusion prevention for Amazon VPCs. For the SOA-C02 exam, this topic appears in roughly 5-8% of questions, primarily testing your ability to configure, deploy, and troubleshoot stateful and stateless rules, understand the firewall's interaction with route tables and VPC endpoints, and interpret logs. Mastering this service is critical for securing network boundaries in AWS, and the exam expects you to know not just the concepts but also the specific configuration steps and common pitfalls.
Jump to a section
Imagine a massive container ship entering a port. The ship carries thousands of containers, each with a specific origin, destination, and content type. The port has a security gate that inspects every container. This gate is not just a simple guard; it's a sophisticated system with multiple inspection layers. First, the gate checks the container's manifest (stateful inspection) to see if it matches expected traffic patterns. Then, it performs deep content scanning (intrusion prevention) to look for prohibited items like explosives or contraband. The gate also applies rules based on the container's destination within the port (network segmentation). If a container is suspicious, the gate can quarantine it (alert) or destroy it (drop). The gate logs every inspection for audit. In AWS Network Firewall, the firewall is the security gate, and your VPC traffic consists of containers. The firewall inspects packets (containers) as they enter or leave your VPC, using stateful rules (manifest checks), intrusion prevention (content scanning), and domain filtering (destination checks). It can allow, drop, or alert on traffic, just like the gate. The firewall is deployed in a firewall subnet, analogous to the gate's dedicated inspection area, and uses a firewall policy (the gate's rulebook) to define behavior. This analogy highlights the multi-layer inspection and policy-driven control that AWS Network Firewall provides.
What is AWS Network Firewall and Why It Exists
AWS Network Firewall is a managed service that provides network-level filtering and intrusion prevention for Amazon Virtual Private Clouds (VPCs). It is designed to protect your VPC from malicious traffic, enforce network segmentation, and meet compliance requirements. Unlike security groups (stateful instance-level firewalls) or network ACLs (stateless subnet-level firewalls), AWS Network Firewall offers deep packet inspection (DPI), intrusion prevention system (IPS) capabilities, and domain filtering. It is a stateful firewall that can inspect traffic in all directions: ingress, egress, and between subnets.
The service exists because traditional security groups and network ACLs lack advanced threat detection. Security groups cannot inspect application-layer content, and network ACLs are stateless and limited to basic IP/port rules. AWS Network Firewall fills this gap by providing a centralized, scalable firewall that integrates with AWS services like AWS WAF, AWS Shield, and Amazon GuardDuty.
How It Works Internally: Step Through the Mechanism
AWS Network Firewall operates by intercepting traffic at the VPC level. It is deployed in a dedicated firewall subnet within your VPC. You create a firewall endpoint (a VPC endpoint) that serves as the entry and exit point for traffic. The firewall uses a firewall policy, which contains a set of rule groups that define how to handle traffic.
Traffic Flow: When a packet enters or leaves a subnet that is routed through the firewall, it is directed to the firewall endpoint via route tables. The firewall inspects the packet against the rule groups in the firewall policy. The inspection order is: stateless rule groups first, then stateful rule groups. Stateless rules are processed in priority order; if a packet matches a rule that allows or drops, the action is taken without further stateful inspection. If no stateless rule matches, the packet is forwarded to stateful rule groups. Stateful rules can track connection state and apply more complex inspection, such as DPI.
Stateful vs. Stateless: Stateless rules evaluate each packet individually without regard to connection state. They are fast but limited to 5-tuple (source IP, destination IP, source port, destination port, protocol). Stateful rules maintain state about connections, allowing them to inspect traffic flows and apply rules based on the application layer (e.g., HTTP, FTP). The stateful engine can reassemble TCP streams and inspect payloads.
Suricata Engine: AWS Network Firewall uses the open-source Suricata engine for stateful inspection. Suricata is a high-performance network IDS/IPS capable of protocol detection, file extraction, and signature matching. The firewall supports Suricata rules in the format that you can import or write custom rules.
Key Components, Values, Defaults, and Timers
Firewall: The resource that defines the VPC, subnets, and firewall policy. It has a status (PROVISIONING, READY, UPDATING, DELETING).
Firewall Policy: A container for rule groups. It has a default stateless action (allow, drop, forward to stateful) and default stateful action (pass, drop, alert).
Rule Groups: Collections of rules. Stateless rule groups have a priority (1-65535). Stateful rule groups have a capacity (number of Suricata rules).
Suricata Rules: Written in Suricata signature format. Example: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"HTTP traffic"; sid:1000001;)
Capacity: Each stateful rule group has a capacity (e.g., 100, 1000). The total capacity across all rule groups in a firewall policy cannot exceed the firewall's capacity (default 10,000, max 100,000).
Timeouts: TCP connection timeout is 5 minutes of inactivity. UDP timeout is 2 minutes. ICMP timeout is 30 seconds.
Logging: Supports logging to S3, CloudWatch Logs, and Kinesis Data Firehose. Log types: alert logs (for dropped or alerted traffic) and flow logs (for all traffic).
Configuration and Verification Commands
To create a firewall via AWS CLI:
aws network-firewall create-firewall \
--firewall-name my-firewall \
--firewall-policy-arn arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/my-policy \
--vpc-id vpc-12345678 \
--subnet-mappings SubnetId=subnet-12345678To create a firewall policy:
aws network-firewall create-firewall-policy \
--firewall-policy-name my-policy \
--firewall-policy "StatelessDefaultActions=[\"aws:pass\"],StatelessFragmentDefaultActions=[\"aws:pass\"]"To add a stateful rule group:
aws network-firewall create-rule-group \
--rule-group-name my-suricata-rules \
--type STATEFUL \
--capacity 100 \
--rules "alert tcp any any -> any any (msg:\"test\"; sid:1;)"Verification commands:
aws network-firewall describe-firewall --firewall-name my-firewall
aws network-firewall list-firewalls
aws network-firewall describe-firewall-policy --firewall-policy-arn <arn>How It Interacts with Related Technologies
Route Tables: To route traffic through the firewall, you must update route tables of the subnets you want to protect. The default route (0.0.0.0/0) for internet-bound traffic or inter-subnet traffic must point to the firewall endpoint (a VPC endpoint ID).
VPC Endpoints: The firewall endpoint is a VPC endpoint (interface type) that is automatically created when you deploy the firewall. It is placed in the firewall subnet and has an elastic network interface.
AWS WAF: Can be used together for web application layer protection. AWS Network Firewall handles network-level, while WAF handles HTTP/HTTPS.
AWS Shield: Provides DDoS protection; Network Firewall can complement by filtering malicious traffic.
Amazon GuardDuty: Can send findings to Network Firewall via CloudWatch Events to trigger dynamic blocking (though not native; requires custom automation).
AWS Firewall Manager: Centrally manage firewall policies across accounts and VPCs.
Stateless Rule Groups Details
Stateless rule groups contain rules that define a 5-tuple match and an action: aws:pass, aws:drop, aws:forward_to_sfe. The aws:forward_to_sfe action sends the packet to the stateful rule engine. Stateless rules are evaluated in order of priority (lower number = higher priority). If no rule matches, the default stateless action is taken (set in the firewall policy). The default actions can be aws:pass or aws:drop or aws:forward_to_sfe. For fragmented packets, you can also set a default fragment action.
Stateful Rule Groups Details
Stateful rule groups use Suricata rules. They can be of two types: - Pass: Allow traffic. - Drop: Block traffic. - Alert: Log traffic but allow.
Stateful rules are processed after stateless rules that forward to stateful. The stateful engine maintains connection state. For TCP, it tracks SYN, SYN-ACK, ACK, and FIN/RST. For UDP, it tracks source/destination. The engine can reassemble TCP streams for deep inspection.
Domain Filtering
Stateful rule groups can include domain filtering rules. These rules match against fully qualified domain names (FQDNs) in TLS SNI or HTTP Host headers. They do not perform DNS resolution. Example Suricata rule:
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; msg:"Allowed domain"; sid:2;)Logging and Monitoring
Alert logs: Generated when a rule matches with action alert or drop. Contains details of the packet and rule.
Flow logs: Records of all traffic handled by the firewall, regardless of action. Useful for auditing.
Metrics: CloudWatch metrics include PacketsIn, PacketsOut, BytesIn, BytesOut, PacketDropCount, AlertCount.
Troubleshooting: Use describe-firewall to check status, list-rule-groups to verify rules. For packet drops, check alert logs in CloudWatch Logs or S3.
Performance and Scaling
AWS Network Firewall scales automatically based on traffic. It uses multiple Availability Zones for high availability. You can deploy one firewall per VPC, but you can have multiple firewalls across VPCs. The service supports up to 100,000 rules in a firewall policy (combined capacity). Throughput limits vary by instance type (not user-selectable; AWS manages). For high throughput, ensure you have sufficient capacity in your firewall policy (capacity is a soft limit that can be increased via support).
Create Firewall Subnet
Create a dedicated subnet in your VPC for the firewall endpoint. This subnet must have a route table that does not point to the firewall itself (to avoid routing loops). The firewall subnet is where the firewall's elastic network interfaces are placed. It must have at least one subnet per Availability Zone you plan to use. The subnet must have a route to the internet via an Internet Gateway or NAT Gateway if needed. AWS recommends using a /28 subnet size to ensure enough IP addresses.
Define Firewall Policy
Create a firewall policy that contains rule groups. Define default stateless actions for non-matching traffic and for fragmented packets. You can also set default stateful actions (pass/drop/alert). The policy is a separate resource that can be shared across firewalls. You can attach up to 30 stateless rule groups and 20 stateful rule groups per policy. The order of evaluation is: stateless rule groups in priority order, then stateful rule groups (order within stateful is not guaranteed, so use distinct actions).
Create Rule Groups
Create stateless rule groups with rules that specify source/destination IP, port, protocol, and action (pass/drop/forward_to_sfe). Create stateful rule groups with Suricata rules for deep inspection. Each rule group has a capacity (number of rules). For stateless, the capacity is the number of rules; for stateful, it's the number of Suricata rules. The total capacity across all rule groups in a policy cannot exceed the firewall's capacity (default 10,000).
Create Firewall and Attach Policy
Create the firewall resource, specifying the VPC, firewall subnet mappings (subnet per AZ), and the firewall policy ARN. The firewall will automatically create VPC endpoints (one per subnet) in the firewall subnets. The firewall status will transition from PROVISIONING to READY. During creation, AWS creates elastic network interfaces in the firewall subnets. These endpoints have private IP addresses from the subnet CIDR.
Update Route Tables
To route traffic through the firewall, update the route tables of your subnets. For internet-bound traffic, add a route to the firewall endpoint (the VPC endpoint ID) for 0.0.0.0/0. For inter-subnet traffic, add routes to the firewall endpoint for the destination subnet CIDR. Important: Do not route traffic from the firewall subnet back to itself. Use a separate route table for the firewall subnet that does not have a route to the firewall endpoint.
Test and Monitor
After routing is configured, test connectivity. Use tools like telnet, curl, or AWS Systems Manager Session Manager to verify that allowed traffic passes and blocked traffic is dropped. Enable logging to S3 or CloudWatch Logs to capture alert and flow logs. Monitor CloudWatch metrics for packet drops and alerts. Check the firewall status via CLI or console. If traffic is not flowing, verify route tables and that the firewall policy is correctly attached.
Enterprise Scenario 1: Egress Filtering for Compliance
A financial services company must restrict outbound traffic from a VPC containing sensitive customer data. They need to block known malicious domains and prevent data exfiltration. They deploy AWS Network Firewall in a dedicated firewall subnet. They create a stateful rule group with Suricata rules that drop traffic to domains listed on a threat intelligence feed (e.g., from Proofpoint or AWS Marketplace). They also create a stateless rule group that allows only specific ports (80, 443) to the internet. The firewall policy has a default stateless action of drop. In production, they monitor alert logs for attempted connections to malicious domains. A common misconfiguration is forgetting to update the route table for the private subnets to point to the firewall endpoint, causing traffic to bypass the firewall. They also need to ensure that the firewall subnet has a route to the internet via a NAT Gateway if they want to inspect traffic from private subnets.
Enterprise Scenario 2: Network Segmentation with Intrusion Prevention
A healthcare organization needs to isolate development, test, and production environments within a single VPC. They use AWS Network Firewall to inspect traffic between subnets. They create a firewall policy with stateless rules that allow traffic between specific subnet CIDRs only on required ports (e.g., SSH from admin subnet to all, HTTP from web to app). They also attach a stateful rule group with IPS signatures from an AWS Marketplace partner (e.g., Trend Micro). The firewall logs all inter-subnet traffic. A common issue is that the firewall's stateful engine can cause latency for high-throughput applications like database replication; they mitigate this by creating stateless allow rules for trusted traffic to bypass stateful inspection. They also ensure that the route tables for each subnet have a route to the firewall endpoint for the other subnets' CIDRs.
Enterprise Scenario 3: Centralized Security for Multi-Account Environment
A large enterprise uses AWS Organizations with hundreds of accounts. They deploy AWS Network Firewall in a central security account using AWS Firewall Manager. They create a common firewall policy with corporate-wide rules (e.g., block all traffic to known command-and-control IPs). They then apply this policy to all VPCs in member accounts. This ensures consistent security posture. Performance considerations: with many VPCs, the number of firewalls can grow. They use tagging to organize firewalls. A common pitfall is that Firewall Manager can only apply policies to VPCs that have a firewall already deployed; they must first create the firewall in each VPC via automation. They also need to ensure that the firewall subnets in each account have proper routing.
What SOA-C02 Tests on AWS Network Firewall
The SOA-C02 exam (Objective 5.1: Implement network security) tests your ability to configure and troubleshoot AWS Network Firewall. Specifically, you need to know:
The difference between stateless and stateful rules and when to use each.
How to route traffic through the firewall using route tables (VPC endpoint route).
How to create and attach firewall policies and rule groups.
How to interpret firewall logs (alert vs. flow logs) and CloudWatch metrics.
How to troubleshoot connectivity issues (common cause: missing route to firewall endpoint).
The integration with AWS Firewall Manager for central management.
Common Wrong Answers and Why Candidates Choose Them
Wrong: 'Security groups are sufficient for network-level filtering.' Candidates often think security groups can replace Network Firewall because they are stateful. Reality: Security groups cannot perform deep packet inspection, domain filtering, or intrusion prevention. They are instance-level, not network-level.
Wrong: 'Network ACLs provide stateful inspection.' This is a classic trap. Network ACLs are stateless and require separate inbound and outbound rules. AWS Network Firewall is stateful.
Wrong: 'You can attach Network Firewall directly to an internet gateway.' Candidates may assume it works like a traditional firewall. Reality: Network Firewall is deployed inside a VPC and traffic is routed to it via route tables. It does not attach to IGW or NATGW.
Wrong: 'Stateful rules are processed before stateless rules.' The order is: stateless first, then stateful (if forwarded). Many candidates reverse this.
Specific Numbers, Values, and Terms That Appear on the Exam
Default stateless actions: aws:pass, aws:drop, aws:forward_to_sfe.
Default stateful actions: PASS, DROP, ALERT.
Capacity: Default 10,000, max 100,000.
Timeouts: TCP 5 min, UDP 2 min, ICMP 30 sec.
Log type: Alert logs (dropped/alerted traffic) and flow logs (all traffic).
Rule group types: STATEFUL and STATELESS.
Suricata rule format: action protocol source_ip source_port -> dest_ip dest_port (msg; sid;).
Firewall status: PROVISIONING, READY, UPDATING, DELETING.
Edge Cases and Exceptions
Fragmented packets: Stateless rules can have a default fragment action separate from normal traffic.
IPv6: AWS Network Firewall supports IPv6 traffic (stateful inspection only; stateless rules can match IPv6).
TLS inspection: Network Firewall can inspect TLS traffic if you configure Suricata rules with tls.sni for domain filtering, but it does not decrypt traffic.
Cross-account: You can share firewall policies across accounts via AWS RAM (Resource Access Manager).
Limits: Maximum 2 firewalls per region per account (soft limit). Maximum 20 stateful rule groups per policy.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about filtering traffic between subnets, think: 'Does this need deep packet inspection?' If yes, Network Firewall is needed. If only IP/port, security groups or NACLs may suffice. For questions about routing, remember that traffic must be explicitly routed to the firewall endpoint. If a question mentions 'centralized management across accounts', think AWS Firewall Manager. For logging, differentiate between alert (only dropped/alerted) and flow (all). Use the Suricata rule format to identify stateful rules.
AWS Network Firewall is a managed stateful firewall with intrusion prevention, deployed in a dedicated subnet within a VPC.
Traffic must be routed to the firewall endpoint via route tables; the firewall subnet itself must not route back to the endpoint.
Stateless rules are evaluated first; stateful rules (Suricata) are only applied if a stateless rule forwards the traffic.
Default stateless actions: pass, drop, or forward to stateful engine. Default stateful actions: pass, drop, alert.
Capacity of a firewall policy is the sum of rule group capacities; default 10,000, max 100,000.
Stateful rule groups use Suricata rule syntax; domain filtering uses tls.sni or http.host.
Logging supports alert logs (dropped/alerted traffic) and flow logs (all traffic) to S3, CloudWatch, or Kinesis.
Firewall statuses: PROVISIONING, READY, UPDATING, DELETING.
AWS Firewall Manager can centrally apply firewall policies across accounts and VPCs.
Common exam trap: confusing stateful vs. stateless, or thinking Network Firewall attaches to IGW.
These come up on the exam all the time. Here's how to tell them apart.
AWS Network Firewall
Stateful inspection with connection tracking
Supports deep packet inspection and intrusion prevention (Suricata)
Can filter based on domain names (TLS SNI, HTTP Host)
Centralized management via Firewall Manager
Logs to S3, CloudWatch, Kinesis; includes alert and flow logs
Network ACLs
Stateless; each packet evaluated independently
No deep packet inspection; only 5-tuple rules
Cannot filter by domain name
Per-subnet configuration; no central management
Logs to CloudWatch only via VPC Flow Logs (separate service)
Mistake
AWS Network Firewall can be attached directly to an Internet Gateway.
Correct
AWS Network Firewall is deployed inside a VPC and traffic is routed to it via route tables. It does not attach to an Internet Gateway. The firewall endpoint is a VPC endpoint in a subnet.
Mistake
Network ACLs provide stateful inspection like Network Firewall.
Correct
Network ACLs are stateless. They require separate inbound and outbound rules. AWS Network Firewall is stateful and tracks connection state.
Mistake
Stateful rules are evaluated before stateless rules.
Correct
Stateless rules are evaluated first. Only if a packet is forwarded by a stateless rule (via 'aws:forward_to_sfe' or default action) does it go to stateful inspection.
Mistake
AWS Network Firewall can decrypt and inspect HTTPS traffic.
Correct
Network Firewall can inspect TLS handshake metadata (SNI) but does not decrypt payloads. For full HTTPS inspection, use AWS WAF or a third-party appliance.
Mistake
You can use security groups to block traffic between subnets in the same VPC.
Correct
Security groups are instance-level and cannot filter traffic between subnets. For subnet-level filtering, use Network ACLs or AWS Network Firewall.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You must update the route tables of the subnets you want to protect. Add a route for the destination traffic (e.g., 0.0.0.0/0 for internet) pointing to the firewall endpoint ID (e.g., vpce-xxxxxxxx). The firewall endpoint is automatically created when you deploy the firewall. Do not route traffic from the firewall subnet back to itself.
Stateless rule groups evaluate each packet individually based on 5-tuple (source/destination IP, port, protocol) and do not track connection state. Stateful rule groups use Suricata engine to inspect traffic flows, track connection state (TCP, UDP, ICMP), and can perform deep packet inspection. Stateless rules are faster but less flexible. Stateful rules are more powerful but require more resources.
AWS Network Firewall can inspect the TLS handshake metadata, such as the Server Name Indication (SNI) field, to filter based on domain names. However, it cannot decrypt the encrypted payload. For full HTTPS inspection, you would need a third-party appliance that supports TLS termination.
First, verify that the route tables for the source subnets have a route to the firewall endpoint. Use 'aws network-firewall describe-firewall' to check the firewall status. Enable flow logs to see if traffic is reaching the firewall. Check the firewall policy's default actions and rule group priorities. Also, ensure the firewall subnet has proper routes (e.g., to NAT Gateway for internet) and that security groups allow traffic.
You can log to Amazon S3, CloudWatch Logs, or Amazon Kinesis Data Firehose. There are two log types: alert logs (capture traffic that matches alert or drop rules) and flow logs (capture all traffic handled by the firewall). You can enable both types simultaneously and send them to different destinations.
AWS Network Firewall automatically scales based on traffic volume. It uses multiple Availability Zones for high availability. You can increase the capacity of your firewall policy (up to 100,000 rules) by requesting a limit increase. The service handles throughput scaling transparently.
Yes, you can use AWS Firewall Manager to centrally manage firewall policies across accounts in AWS Organizations. You can also share firewall policies via AWS Resource Access Manager (RAM). However, each VPC needs its own firewall deployment.
You've just covered AWS Network Firewall — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?