What is AWS Network Firewall?
AWS Network Firewall is a managed, stateful network firewall and intrusion detection and prevention service (IDS/IPS) for your Virtual Private Cloud (VPC). It enables you to inspect traffic at scale.
Key Concepts
1. Stateful Inspection
- Tracks the state of network connections (unlike strict stateless NACLs).
- Can block traffic based on protocols, IP addresses, and domain names.
2. Intrusion Prevention (IPS)
- Active traffic inspection to identify and block vulnerability exploits.
3. Domain Filtering
- Allow or deny traffic to specific web domains (e.g., deny
*.example.com).
Exam Tips
[!IMPORTANT] "Filter traffic entering/leaving the VPC" or "Block specific domains": The answer is AWS Network Firewall.
[!TIP] Network Firewall vs. WAF vs. Security Groups:
- Security Groups: Instance-level firewall (Port/IP).
- WAF: Layer 7 (Web App) protection (SQLi, XSS).
- Network Firewall: VPC-level Layer 3-7 protection (Deep Packet Inspection, IPS, centralized egress filtering).
Common Use Cases
- Egress Filtering: Preventing servers from downloading malware from unknown domains.
- Compliance: Meeting PCI/HIPAA requirements for network boundary protection.