AWS Network Firewall & Traffic Inspection – IDS/IPS, TLS & GWLB

AWS Network Firewall & Traffic Inspection — Overview

Network Firewall covers the “infrastructure security” domain of SCS-C03 (18% of exam). Questions test deep packet inspection, North-South vs East-West traffic patterns, centralized firewall deployment with Transit Gateway, and integration with third-party IDS/IPS tools via Traffic Mirroring.

Centralized Inspection Architecture (Transit Gateway)
Spoke VPC A
(Workload)
Spoke VPC B
(Workload)
Spoke VPC C
(Workload)
↕ ↕ ↕
Transit Gateway
Route tables route ALL traffic through Inspection VPC before reaching destination
Inspection VPC (Network Firewall)
Stateful Rules
IDS/IPS signatures
Domain filtering
Protocol detection
Stateless Rules
IP allow/deny
Port filtering
Protocol matching
TLS Inspection
Decrypt → inspect → re-encrypt
ACM certificate
Exempt trusted domains
Internet Gateway
(North-South)
On-Premises
(VPN/DX)

AWS Network Firewall — Features

Feature Details
Stateless rules Evaluated first. Match on IP, port, protocol. Actions: pass, drop, forward to stateful engine. Like NACLs but more powerful.
Stateful rules Deep packet inspection. Suricata-compatible IDS/IPS signatures. Domain list filtering. Protocol detection (HTTP, TLS, DNS).
TLS inspection Decrypt HTTPS traffic, inspect, re-encrypt. Uses ACM certificate. Can exempt specific domains (banking, healthcare).
Domain filtering Allow/deny traffic to specific domains (e.g., allow only *.amazonaws.com). Works with HTTP Host header or TLS SNI.
Managed rule groups AWS-managed threat intelligence feeds. Block known malicious IPs/domains automatically.
Logging Flow logs + alert logs → S3, CloudWatch, Kinesis Firehose. See which rules matched.

North-South vs East-West Traffic

Direction Definition Inspection Options
North-South Traffic entering/leaving VPC (internet, on-premises) Network Firewall in Inspection VPC, WAF on ALB/CloudFront, Security Groups
East-West Traffic between VPCs, between subnets, between services Network Firewall via TGW routing, Security Groups, VPC Lattice service policies

Deployment Patterns

Pattern 1: Centralized Inspection (TGW)

  • Single Inspection VPC with Network Firewall
  • TGW route tables force ALL inter-VPC and internet-bound traffic through the Inspection VPC
  • Best for: Multi-account environments needing consistent inspection
  • Managed by: Central security team via Firewall Manager

Pattern 2: Distributed (Per-VPC)

  • Network Firewall endpoints in each VPC
  • VPC route tables direct traffic through firewall endpoints
  • Best for: Single-account or when latency-sensitive (avoids TGW hop)

Pattern 3: Gateway Load Balancer (Third-Party)

  • GWLB distributes traffic to third-party firewall appliances (Palo Alto, Fortinet, Check Point)
  • Transparent inspection — traffic flows through appliance without source IP change
  • Best for: Organizations with existing third-party IDS/IPS investments

VPC Traffic Mirroring

  • What: Copy network traffic from ENIs to monitoring targets (out-of-band inspection)
  • Use case: IDS/IPS that needs to see raw packets but shouldn’t be inline (passive monitoring)
  • Targets: NLB (distributes mirrored traffic to monitoring fleet) or another ENI
  • Filters: Mirror only specific traffic (source/dest IPs, ports, protocols)
  • Limitation: Not supported on all instance types (requires Nitro). Additional network bandwidth cost.
  • Exam note: “Passive inspection without affecting traffic flow” → Traffic Mirroring. “Inline inspection” → Network Firewall or GWLB.

Network Firewall vs Security Groups vs NACLs vs WAF

Control Layer Inspection Depth Use
Security Groups Instance (ENI) IP/Port only (stateful) Per-instance access control
NACLs Subnet IP/Port only (stateless) Subnet-level deny rules
Network Firewall VPC Deep packet (L3-L7, IDS/IPS, domain, TLS) Centralized inspection, compliance
WAF Application (L7) HTTP request inspection (headers, body, URI) Web application protection (SQLi, XSS)

Exam Tips

Exam Key Points
SCS-C03 “Deep packet inspection” → Network Firewall (stateful rules). “Domain filtering” → Network Firewall (allow list). “IDS/IPS signatures” → Network Firewall (Suricata rules). “Third-party firewall appliance” → Gateway Load Balancer. “Passive monitoring without inline” → VPC Traffic Mirroring. “Inspect encrypted traffic” → Network Firewall TLS inspection. “Centralized inspection across VPCs” → TGW + Inspection VPC pattern.

AWS Certification Exam Practice Questions

Question 1:

A company needs to inspect all traffic between VPCs (East-West) for malicious patterns using IDS/IPS signatures. They have 20 spoke VPCs connected via Transit Gateway. Which architecture provides centralized inspection?

  1. Deploy Network Firewall in each spoke VPC
  2. Create a dedicated Inspection VPC with Network Firewall, configure TGW route tables to route all inter-VPC traffic through it
  3. Use Security Groups with deny rules between VPCs
  4. Enable VPC Flow Logs and analyze with GuardDuty
Show Answer

Answer: B — The centralized inspection pattern: Inspection VPC hosts Network Firewall with IDS/IPS rules. TGW route tables direct all inter-VPC traffic through the Inspection VPC before reaching the destination. This provides single-pane management and consistent policy. Per-VPC deployment (A) is costly and hard to manage at 20 VPCs. Security Groups (C) can’t do deep packet inspection. GuardDuty (D) detects threats but doesn’t inspect inline traffic.

Question 2:

A security team needs to allow EC2 instances to access only specific approved domains (e.g., *.github.com, *.amazonaws.com) and block all other outbound internet traffic. Which service provides this domain-based filtering?

  1. Security Groups with domain names in rules
  2. AWS Network Firewall with stateful domain list rules
  3. Route 53 Resolver DNS Firewall with block rules
  4. NACLs with domain-based rules
Show Answer

Answer: B — Network Firewall stateful rules can filter by domain (using HTTP Host header for HTTP or TLS SNI for HTTPS). You create an allow list of approved domains and set default action to drop. Security Groups (A) and NACLs (D) only work with IPs, not domains. DNS Firewall (C) blocks DNS resolution but doesn’t prevent direct IP access — the instance could bypass it by using IP addresses directly.

Question 3:

A company uses third-party Palo Alto firewall appliances for deep inspection. They want to route VPC traffic through these appliances transparently without changing source/destination IPs. Which AWS service enables this?

  1. Network Load Balancer in front of firewall instances
  2. Gateway Load Balancer (GWLB) with GENEVE encapsulation
  3. ALB with forwarding rules to firewall targets
  4. Transit Gateway with static routes to firewall instances
Show Answer

Answer: B — Gateway Load Balancer uses GENEVE encapsulation to transparently insert third-party appliances into the traffic path. Traffic flows through the appliance with original source/destination IPs preserved (bumps-in-the-wire). GWLB handles scaling, HA, and load distribution across appliance fleet. NLB (A) would change the destination IP. TGW (D) requires complex routing and doesn’t provide appliance load balancing.

Question 4:

A security team needs to passively monitor network traffic on specific EC2 instances for forensic analysis without affecting application performance or traffic flow. Which approach achieves this?

  1. Deploy Network Firewall inline with alerting-only mode
  2. Configure VPC Traffic Mirroring from the instance ENIs to a monitoring NLB target
  3. Enable enhanced VPC Flow Logs with packet capture
  4. Install tcpdump on each instance and send to S3
Show Answer

Answer: B — VPC Traffic Mirroring copies network packets (out-of-band) to a monitoring target without affecting the original traffic flow or adding latency. NLB distributes mirrored traffic to a fleet of monitoring/IDS tools. VPC Flow Logs (C) capture metadata only (IPs, ports), not packet content. Network Firewall (A) is inline (adds latency). tcpdump (D) consumes instance resources and doesn’t scale.

Question 5:

A company’s compliance requires inspecting HTTPS traffic for data exfiltration. They need to decrypt outbound TLS, inspect the content, then re-encrypt before forwarding. Certain financial and healthcare domains must be exempted from inspection. Which solution provides this?

  1. CloudFront with Lambda@Edge inspecting request bodies
  2. AWS Network Firewall with TLS inspection policy and domain exception list
  3. WAF with body inspection rules on all outbound traffic
  4. Install proxy servers (Squid) on EC2 instances with SSL bump
Show Answer

Answer: B — Network Firewall TLS inspection decrypts outbound HTTPS traffic using an ACM certificate, inspects the decrypted content with stateful rules, then re-encrypts before forwarding. You can configure exception domains (bypass inspection for banking/healthcare). This is the managed AWS solution for TLS inspection. WAF (C) only works on inbound HTTP at ALB/CloudFront, not outbound. Squid (D) works but is self-managed overhead.

Related Posts

References

Frequently Asked Questions

Network Firewall vs WAF — when to use which?

Network Firewall: Inspects all network traffic (any protocol, any direction). Works at VPC level. Use for IDS/IPS, domain filtering, TLS inspection, East-West traffic. WAF: Inspects HTTP/HTTPS requests only. Works at ALB/CloudFront/API Gateway. Use for web application attacks (SQLi, XSS, bot control). Most architectures need both: WAF for web-layer protection, Network Firewall for network-layer inspection.

What is Gateway Load Balancer used for?

GWLB transparently inserts third-party network appliances (Palo Alto, Fortinet, Check Point) into your traffic path. It handles scaling, HA, and traffic distribution across appliance fleet. Traffic passes through appliances with original source/destination IPs preserved (GENEVE encapsulation). Use when you have existing third-party security tools or need features not available in AWS Network Firewall.

Can Network Firewall inspect encrypted (HTTPS) traffic?

Yes — Network Firewall supports TLS inspection. It decrypts traffic using an ACM certificate, inspects the decrypted content with your stateful rules, then re-encrypts before forwarding. You can exempt specific domains from inspection (compliance requirement for financial/healthcare traffic). Without TLS inspection, Network Firewall can still filter by TLS SNI (domain name) but cannot inspect the encrypted payload.

Posted in Uncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.