Which AWS service acts as a centralized firewall for traffic inspection between VPCs, between VPCs and on-premises networks, and for internet traffic?
Network Firewall provides centralized, managed stateful packet inspection at the VPC level with domain-based filtering and integration with Firewall Manager for multi-account governance.
Why this answer
AWS Network Firewall is a managed service that provides a centralized firewall to inspect and filter traffic across VPCs, between VPCs and on-premises networks (via AWS Transit Gateway or VPN/Direct Connect), and for internet-bound traffic. It supports stateful and stateless rules, intrusion prevention (IPS), and domain filtering, making it the correct choice for a unified traffic inspection solution.
Exam trap
The trap here is that candidates often confuse AWS Network Firewall with Security Groups or NACLs, thinking those can provide centralized traffic inspection across VPCs and hybrid networks, but they are limited to instance-level or subnet-level filtering and lack the centralized, stateful inspection capabilities required for this use case.
How to eliminate wrong answers
Option A is wrong because Security Groups are stateful virtual firewalls that operate at the instance level (ENI) and cannot inspect traffic between VPCs or between VPCs and on-premises networks; they lack centralized management and do not support traffic inspection for internet-bound traffic across multiple VPCs. Option B is wrong because Network Access Control Lists (NACLs) are stateless, operate at the subnet level, and cannot provide centralized firewall capabilities across VPCs or hybrid connections; they also do not support stateful inspection or advanced threat detection. Option D is wrong because AWS WAF is a web application firewall that protects web applications from common exploits (e.g., SQL injection, XSS) at the application layer (HTTP/HTTPS), not a network-layer firewall for general traffic inspection between VPCs, on-premises, or internet traffic.