AWS Network Firewall is a managed stateful firewall service that lets you control network traffic to and from your Amazon Virtual Private Cloud (VPC). You can use it to block threats by defining rules that inspect and filter traffic based on various criteria like IP addresses, ports, protocols, and even application-specific data.
Let’s see it in action. Imagine you want to block all incoming SSH traffic (port 22) from a known malicious IP address, 192.0.2.10.
First, you’d create a Network Firewall policy. This policy is a collection of rule groups.
{
"FirewallPolicy": {
"StatelessRuleGroups": [],
"StatefulRuleGroups": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rule-group/MyMaliciousIPBlocker",
"Priority": 10
}
],
"StandardStatus": "PASS"
}
}
Next, you create the stateful rule group itself. Stateful rules are more powerful because they maintain connection state, allowing for more sophisticated threat detection.
{
"RuleGroupName": "MyMaliciousIPBlocker",
"RuleGroupType": "STATEFUL",
"RulesSource": {
"RulesString": "drop tcp [192.0.2.10] any -> [22] any (msg:\"Block known malicious IP to SSH\"; sid:1000001; rev:1;)"
},
"Capacity": 100
}
In this RulesString:
drop: This is the action to take when the rule matches. We’re dropping the traffic.tcp: We’re specifying the protocol as TCP.[192.0.2.10]: This is the source IP address we want to block.any: This refers to any source port.->: This indicates the direction of traffic (source to destination).[22]: This is the destination port we’re targeting (SSH).any: This refers to any destination port.msg:"Block known malicious IP to SSH": A descriptive message for the log entry.sid:1000001: A unique rule identifier.rev:1: The revision number of the rule.
Finally, you associate this firewall policy with your Network Firewall endpoint in your VPC.
The mental model is that Network Firewall sits at the edge of your VPC, inspecting traffic as it enters or leaves. Stateful rules are particularly effective because they understand the context of a connection. For example, if a malicious IP initiates a connection, the firewall can block the entire conversation, not just the initial packet. You can also define stateless rules for simpler, faster packet filtering based on headers alone, useful for broad allow/deny lists.
You control this system through Firewall Policies, which are collections of Rule Groups. Rule Groups can be either Stateful or Stateless. Stateful Rule Groups contain more complex rules that track connection state, while Stateless Rule Groups are simpler and process packets individually. Within Rule Groups, you define individual rules with specific actions (like drop, alert, pass) and criteria. The Priority in the Firewall Policy dictates the order in which Stateful Rule Groups are evaluated.
A common point of confusion is the difference between stateless and stateful rule groups. While both can block traffic, stateless rules are processed by Network Firewall in the order they appear in the policy, and if a match is found, processing stops for that packet. Stateful rules, on the other hand, are evaluated based on their Priority within the Firewall Policy, and they can inspect the entire packet payload and track connection state, making them more powerful for detecting complex threats.
You’ll next want to explore how to configure Network Firewall logging to analyze the traffic that’s being dropped or allowed.