AWS Network Firewall: Complete Guide for AWS Security Specialty Exam
Why AWS Network Firewall is Important
AWS Network Firewall is a critical service in the AWS security ecosystem because it provides a managed, stateful network firewall and intrusion detection/prevention system (IDS/IPS) for your Amazon VPC. As organizations migrate workloads to the cloud, the need to inspect and filter network traffic at the perimeter becomes essential. Traditional security groups and NACLs offer basic packet filtering, but they lack deep packet inspection, protocol-level filtering, and the ability to detect sophisticated threats. AWS Network Firewall fills this gap by offering enterprise-grade network protection that scales automatically with your traffic.
For the AWS Security Specialty exam, understanding AWS Network Firewall is vital because it is a key component of infrastructure security. Questions may test your knowledge of when to use Network Firewall versus other services, how to architect solutions with it, and how to configure rule groups effectively.
What is AWS Network Firewall?
AWS Network Firewall is a managed service that deploys network protections across all Amazon VPCs. It provides:
• Stateful traffic inspection — Tracks the state of network connections and makes filtering decisions based on connection context.
• Stateless traffic inspection — Evaluates each packet in isolation using defined rules (similar to NACLs but more powerful).
• Intrusion Prevention System (IPS) — Detects and blocks known threat signatures using Suricata-compatible rules.
• Web filtering — Allows or denies traffic based on domain names (FQDN filtering) for both HTTP and HTTPS (via SNI inspection).
• Custom rule groups — Supports both stateless and stateful rule groups with flexible match conditions.
• Integration with AWS Firewall Manager — Enables centralized management across multiple accounts and VPCs in an AWS Organization.
How AWS Network Firewall Works
Understanding the architecture of AWS Network Firewall is essential for both real-world implementations and the exam:
1. Firewall Subnet:
AWS Network Firewall requires a dedicated subnet in each Availability Zone where you want protection. These are called firewall subnets. The firewall endpoint is deployed into these subnets. Important: Firewall subnets should contain ONLY the firewall endpoints — no other resources.
2. Firewall Policy:
A firewall policy defines the monitoring and protection behavior. It contains:
• Stateless rule groups — Evaluated first, processed in priority order. Actions include pass, drop, or forward to stateful rules.
• Stateful rule groups — Evaluated after stateless rules forward traffic. These support Suricata-compatible IPS rules, domain list rules, and 5-tuple rules.
• Default actions — Define what happens to packets that don't match any stateless rule (pass, drop, or forward to stateful engine).
3. Traffic Flow and Routing:
Traffic must be routed through the firewall endpoints using VPC route tables. A typical architecture involves:
• An Internet Gateway route table that sends ingress traffic to the firewall endpoint.
• A public subnet route table that sends egress traffic to the firewall endpoint.
• A firewall subnet route table that sends traffic to the Internet Gateway or other destinations.
• For east-west traffic (between subnets), route tables must direct traffic through the firewall endpoint.
4. Rule Evaluation Order:
• Stateless rules are evaluated first, in priority order (lowest number = highest priority).
• If the stateless default action is set to Forward to stateful rule groups, matching traffic is then evaluated by the stateful engine.
• Stateful rules can operate in strict order (evaluated by priority, with a default drop-all or pass-all for unmatched traffic) or action order (pass rules are evaluated first, then drop, then alert).
5. Stateful Rule Types:
• 5-tuple rules — Match on protocol, source IP, source port, destination IP, destination port, and direction.
• Domain list rules — Allow or deny traffic to specified domain names. Works with HTTP (Host header inspection) and HTTPS (SNI inspection). Note: Does NOT perform TLS decryption.
• Suricata-compatible IPS rules — Use the open-source Suricata rule syntax to detect and block threats based on packet content, patterns, and protocol anomalies.
6. Logging:
AWS Network Firewall supports three types of logs:
• Alert logs — Generated by stateful rules with an alert or drop action.
• Flow logs — Generated for all traffic flowing through the stateful engine.
• TLS logs — Generated for TLS handshake metadata.
Logs can be sent to Amazon S3, CloudWatch Logs, or Amazon Kinesis Data Firehose.
7. Encryption and TLS Inspection:
AWS Network Firewall supports TLS inspection (inbound and outbound) to decrypt, inspect, and re-encrypt HTTPS traffic. This requires integration with AWS Certificate Manager (ACM) for certificates. For outbound TLS inspection, the firewall acts as a forward proxy and generates certificates signed by a CA you configure in ACM.
8. Integration with Other AWS Services:
• AWS Firewall Manager — Deploy and manage Network Firewall policies across multiple accounts centrally.
• AWS Transit Gateway — Place the Network Firewall in a centralized inspection VPC to inspect traffic between VPCs (hub-and-spoke model).
• AWS CloudFormation — Automate deployment of firewall resources.
• Amazon Route 53 Resolver DNS Firewall — Complements Network Firewall by filtering DNS queries.
Key Architecture Patterns
Distributed deployment: Deploy Network Firewall in each individual VPC. Best for independent workloads with unique security requirements.
Centralized deployment: Deploy Network Firewall in a dedicated inspection VPC attached to AWS Transit Gateway. All inter-VPC and internet-bound traffic is routed through the inspection VPC. This is the most common pattern for enterprise environments and is a frequent exam scenario.
Combined deployment: Use both distributed firewalls for specific VPCs and a centralized firewall for shared inspection.
AWS Network Firewall vs. Other Services
• Security Groups — Instance-level, stateful, no deep packet inspection, no deny rules. Use for basic instance protection.
• NACLs — Subnet-level, stateless, numbered rules with allow/deny. Use for basic subnet-level filtering.
• AWS WAF — Layer 7 (HTTP/HTTPS) web application protection. Works with CloudFront, ALB, API Gateway, and AppSync. Use for web application attacks (SQLi, XSS).
• AWS Shield — DDoS protection. Standard is automatic; Advanced provides enhanced detection and response.
• AWS Network Firewall — VPC-level, Layer 3-7 inspection, IPS/IDS, domain filtering, Suricata rules. Use when you need deep packet inspection, IPS, or sophisticated network-level filtering.
• Gateway Load Balancer — Use when deploying third-party virtual appliances (e.g., Palo Alto, Fortinet) for network inspection.
Exam Tips: Answering Questions on AWS Network Firewall
Tip 1: Know When to Choose Network Firewall
If a question mentions the need for IDS/IPS, deep packet inspection, Suricata rules, domain name filtering for non-HTTP protocols, or stateful inspection beyond what Security Groups provide, AWS Network Firewall is likely the answer.
Tip 2: Understand the Centralized Inspection VPC Pattern
Questions often describe a multi-VPC architecture using Transit Gateway and ask how to inspect all traffic centrally. The answer is to deploy Network Firewall in a dedicated inspection VPC with Transit Gateway routing all traffic through it.
Tip 3: Firewall Subnets Are Dedicated
Remember that firewall subnets should contain only the firewall endpoints. Do not place other resources (EC2, ALB, etc.) in these subnets.
Tip 4: Routing Is Critical
AWS Network Firewall does NOT work without proper routing. If the question asks about traffic not being inspected, check whether route tables are correctly configured to direct traffic through the firewall endpoints. Remember that with the introduction of VPC Ingress Routing, you can route incoming IGW traffic to the firewall endpoint.
Tip 5: Domain Filtering vs. WAF
If the question asks about filtering outbound traffic to specific domains, Network Firewall's domain list rules are the answer. If the question asks about protecting a web application from attacks like SQL injection or XSS, AWS WAF is the answer.
Tip 6: Stateless vs. Stateful Rules
Stateless rules are evaluated first and are good for high-volume, simple filtering (like blocking known bad IPs). Stateful rules provide context-aware inspection. For the exam, know that the default stateless action determines whether traffic is forwarded to the stateful engine.
Tip 7: TLS Inspection
If a question requires inspecting encrypted HTTPS traffic content at the network level, Network Firewall's TLS inspection feature is needed. Without TLS inspection, Network Firewall can only inspect the SNI field (domain name) in HTTPS traffic, not the payload.
Tip 8: Logging Destinations
Know that Network Firewall logs can go to S3, CloudWatch Logs, or Kinesis Data Firehose. If a question asks about real-time alerting on firewall findings, think CloudWatch Logs with a subscription filter or metric filter to trigger alarms or Lambda functions.
Tip 9: AWS Firewall Manager for Multi-Account
When a question involves managing Network Firewall policies across multiple AWS accounts in an Organization, AWS Firewall Manager is the answer for centralized policy management.
Tip 10: Distinguish from Gateway Load Balancer
If the scenario requires using a third-party firewall appliance (e.g., Palo Alto, Check Point, Fortinet), the answer is Gateway Load Balancer, not AWS Network Firewall. AWS Network Firewall is a native AWS managed service.
Tip 11: Strict vs. Action Order for Stateful Rules
In strict order mode, rules are evaluated by priority number, and you define a default action (drop all or pass all) for unmatched traffic — this gives you the ability to create a deny-by-default posture. In action order mode, pass rules are evaluated before drop rules. For exam questions about implementing a deny-by-default network firewall policy, strict order evaluation is the correct choice.
Tip 12: Availability and Scaling
AWS Network Firewall automatically scales with traffic and provides multi-AZ redundancy when deployed across multiple AZs. You do not need to manage instances or scaling policies. If a question asks about a highly available firewall solution that doesn't require managing appliances, Network Firewall is the answer.
Summary
AWS Network Firewall is a powerful, managed network security service that provides stateful inspection, IDS/IPS, domain filtering, and deep packet inspection for VPC traffic. For the AWS Security Specialty exam, focus on understanding when to use it versus other services, how to architect centralized and distributed deployments, the importance of proper routing, and how to configure stateless and stateful rule groups. Mastering these concepts will prepare you to confidently answer any exam question related to AWS Network Firewall.
