AWS Network Firewall

• AWS Network Firewall is stateful, fully managed, network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
• Network Firewall scales automatically with the network traffic, without the need for deploying and managing any infrastructure.
• AWS Network Firewall
  • can filter traffic at the perimeter of the VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.
  • protects the subnets within the VPC by filtering traffic going between the subnets and locations outside of the VPC
  • flexible rules engine allows defining firewall rules that give fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity.
  • supports importing rules already written in common open source rule formats as well as enables integrations with managed intelligence feeds sourced by AWS partners.
  • works together with AWS Firewall Manager to build policies based on AWS Network Firewall rules and then centrally apply those policies across the VPCs and accounts.
  • helps provide protection from common network threats.
  • can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing the VPCs from accessing domains using an unauthorized protocol.
  • supports intrusion prevention system (IPS) to provide active traffic flow inspection to help identify and block vulnerability exploits using signature-based detection.
  • uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection and supports Suricata compatible rules.
  • supports web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.

AWS Network Firewall Latest Features (2024-2026)

Transit Gateway Native Attachment (May 2026)

• AWS Network Firewall now supports native attachment to AWS Transit Gateway, eliminating the need for a dedicated inspection VPC.
• Instead of creating an inspection VPC with firewall subnets and managing routing, the firewall attaches directly to Transit Gateway. AWS deploys firewall endpoints into an AWS-managed VPC on your behalf.
• Benefits include:
  • Flexible cost allocation — Use Transit Gateway metering policies to charge back account owners for traffic sent through the centralized firewall.
  • Reduced architectural complexity — Eliminates the inspection VPC and its associated routing tables and subnets.
  • Simplified centralized deployment — Firewall appears as a Transit Gateway network function attachment for traffic routing.
• Note: Transit Gateway encryption is not currently supported with native attachment.

TLS Inspection (Advanced Inspection)

• AWS Network Firewall supports TLS inspection capabilities through the Advanced Inspection feature.
• Enables decryption and re-encryption of HTTPS traffic for deep packet inspection of encrypted data.
• Helps mitigate filter bypass attempts and identify security risks in encrypted traffic.
• Supports both inbound and outbound TLS inspection configurations.
• Requires ACM certificates for inbound traffic and ACM Private CA for outbound traffic.
• Pricing Update (February 2026): AWS removed additional data processing charges for Advanced Inspection, making TLS inspection more cost-effective.

Web Category-Based Filtering (January 2026)

• New capability for URL and Domain Category filtering using predefined content categories.
• Enables identification and control of access to:
  • Generative AI (GenAI) services
  • Social media platforms
  • Streaming sites
  • Other web categories
• Simplifies governance and compliance by allowing category-based rules instead of maintaining extensive URL lists.
• Works with Suricata compatible rule strings and standard Network Firewall stateful rule groups.
• When combined with TLS inspection, provides granular control over full URL path inspection.

Amazon EventBridge Integration (February 2026)

• AWS Network Firewall integrates with Amazon EventBridge for real-time notifications on firewall state changes and configuration updates.
• Monitors critical firewall operations including configuration updates and endpoint status modifications.
• Provides visibility into changes affecting AWS Managed Rules, Partner Managed Rules, and firewall configurations.
• Enables automated workflows such as:
  • Notifications through Amazon SNS
  • Ticket creation in ITSM systems
  • Integration with third-party SIEM solutions

Enhanced Managed Rules from AWS Marketplace Partners (April-June 2026)

• Expanded managed rule group capabilities supporting up to 10 million domain name indicators and up to 1 million IP addresses per rule group.
• Available from partners including Check Point, Fortinet, Infoblox, Lumen, Rapid7, ThreatSTOP, Trend Micro, and VisionHeight.
• New rule groups (June 2026):
  • VisionHeight Zero-Day Threat Protection — Proactively blocks malicious IP infrastructure before it appears on public blocklists.
  • VisionHeight Tor and Scanner Protection — Blocks Tor exit nodes and high-volume scanners, reducing SOC alert volume and SIEM ingestion costs.
• Partner enhancements (April 2026):
  • Infoblox — Expanded domain name indicators for critical/high-risk domains.
  • Lumen — New rule groups to stop command and control attacks.
  • ThreatSTOP — OFAC sanctions compliance plus EU, Japan, and UN sanction coverage.
• Managed rules now available in 9 additional regions including Jakarta, Hyderabad, Melbourne, Malaysia, Calgary, Zurich, Spain, Tel Aviv, and Mexico Central.

Default Drop Action Update (June 2026)

• New default stateful action for newly created firewall policies changed to “Application drop established (server-directed only)”.
• Replaces previous default of “Application drop established (bidirectional)” which could silently drop legitimate server-to-client TCP packets (window updates, keep-alives, resets).
• Resolves intermittent connection failures that were difficult to diagnose.
• Existing firewalls are not affected — change applies only to newly created policies.
• Note: If using post-quantum cryptography (PQC) fragmented TLS handshakes, consult documentation before switching existing policies.

Enhanced Integration with VPC Lattice

• AWS Network Firewall works in combination with Amazon VPC Lattice for comprehensive security architecture.
• VPC Lattice provides identity-based access controls for HTTP/HTTPS service-to-service communication.
• Combined approach allows:
  • Deep packet inspection via Network Firewall for traffic requiring malware detection and IPS/IDS
  • Identity-based routing via VPC Lattice for HTTP/HTTPS communications
  • Cost optimization by reducing Network Firewall processing for non-critical traffic

Pricing Improvements (February 2026)

• NAT Gateway Discounts Extended: Hourly and data processing discounts now apply to both primary and secondary Network Firewall endpoints when service-chained with NAT Gateways.
• Advanced Inspection Cost Reduction: Removed additional data processing charges ($0.001/GB to $0.009/GB) for TLS inspection in 13 AWS regions.
• Multiple VPC Endpoint Support: Connect up to 50 VPCs per Availability Zone to a single Network Firewall, reducing operational complexity and costs.

Regional Expansion

• AWS European Sovereign Cloud (March 2026): Network Firewall now available for customers with strict EU data sovereignty requirements.
• Ensures all data and operations remain within EU borders under EU-based control.

AWS Network Firewall Components

AWS Network Firewall vs Gateway Load Balancer

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. A company needs to inspect encrypted HTTPS traffic for malware detection in their VPC. Which AWS Network Firewall feature should they implement?
   • A. Stateful rule groups with domain filtering
   • B. Advanced Inspection with TLS inspection
   • C. Stateless rules with 5-tuple matching
   • D. URL category filtering

   Answer: B
   Advanced Inspection with TLS inspection enables decryption and re-encryption of HTTPS traffic for deep packet inspection of encrypted data, allowing malware detection in encrypted traffic.

2. An organization wants to block access to social media and streaming platforms across their AWS environment. Which Network Firewall feature provides the most efficient solution?
   • A. Creating individual domain-based stateful rules for each platform
   • B. Using URL category-based filtering with predefined categories
   • C. Implementing custom Suricata rules for each service
   • D. Configuring stateless rules with IP address ranges

   Answer: B
   URL category-based filtering allows blocking entire categories like social media and streaming platforms using predefined categories, which is more efficient than maintaining individual rules.
3. A company has 40 VPCs that need firewall protection. What is the most cost-effective approach using AWS Network Firewall?
   • A. Deploy a separate Network Firewall in each VPC
   • B. Use a single Network Firewall with multiple VPC endpoints (up to 50 per AZ)
   • C. Implement AWS WAF for all VPCs
   • D. Use VPC security groups only

   Answer: B
   Network Firewall supports connecting up to 50 VPCs per Availability Zone to a single firewall instance, reducing operational complexity and costs compared to individual firewalls.
4. Which combination provides the most comprehensive and cost-effective security architecture for service-to-service communication?
   • A. AWS Network Firewall only for all traffic
   • B. Amazon VPC Lattice only for all communications
   • C. AWS Network Firewall for deep packet inspection and VPC Lattice for HTTP/HTTPS identity-based controls
   • D. AWS WAF and Application Load Balancer

   Answer: C
   The combined approach uses Network Firewall for traffic requiring deep packet inspection and VPC Lattice for HTTP/HTTPS service communications with identity-based controls, optimizing both security and cost.
5. A financial institution needs to control access to GenAI services while maintaining compliance. Which AWS Network Firewall feature is most appropriate?
   • A. Stateless rules with port-based filtering
   • B. Traditional domain-based stateful rules
   • C. URL category filtering with GenAI category controls
   • D. IPS/IDS signature-based detection only

   Answer: C
   URL category filtering includes predefined GenAI categories, allowing institutions to easily control access to AI services while meeting compliance requirements.

6. A company wants to simplify their centralized inspection architecture and enable cost allocation to individual teams. Which Network Firewall deployment option should they choose?
   • A. Deploy Network Firewall in a dedicated inspection VPC with Transit Gateway routing
   • B. Use Transit Gateway native attachment for Network Firewall
   • C. Deploy Network Firewall endpoints in each spoke VPC
   • D. Use AWS WAF with Transit Gateway

   Answer: B
   Transit Gateway native attachment eliminates the need for a dedicated inspection VPC and enables flexible cost allocation through Transit Gateway metering policies, allowing charge-back to account owners.

7. A security team needs to be notified immediately when their Network Firewall configuration changes or endpoints go down. Which integration should they configure?
   • A. Amazon CloudWatch alarms on firewall metrics
   • B. Amazon EventBridge rules for Network Firewall state changes
   • C. AWS CloudTrail event monitoring
   • D. VPC Flow Logs analysis

   Answer: B
   Network Firewall integrates with Amazon EventBridge to provide real-time notifications for firewall state changes and configuration updates, enabling automated notification workflows.

8. An organization experiences intermittent connection failures after deploying Network Firewall. Investigation shows legitimate TCP keep-alive and window update packets are being dropped. What is the most likely cause and solution?
   • A. Stateless rules are blocking TCP traffic — add pass rules for TCP control packets
   • B. The firewall policy uses “Application drop established (bidirectional)” — switch to “Application drop established (server-directed only)”
   • C. TLS inspection is dropping non-HTTPS traffic — disable Advanced Inspection
   • D. Suricata rules have incorrect protocol matching — update rule signatures

   Answer: B
   The bidirectional drop action can silently drop legitimate server-to-client TCP packets such as window updates, keep-alives, and resets. Switching to server-directed only (now the default for new policies since June 2026) resolves this issue.

References

• AWS Network Firewall
• AWS Network Firewall Deployment Models
• URL and Domain Category Filtering Documentation
• AWS Network Firewall Price Reductions (February 2026)
• Web Category-Based Filtering (January 2026)
• Transit Gateway Native Attachment (May 2026)
• EventBridge Integration (February 2026)
• Default Drop Action Update (June 2026)
• VisionHeight Managed Rules (June 2026)
• Combining VPC Lattice with Network Firewall