AWS Network Firewall – Architecture and Traffic Inspection Flow
AWS Network Firewall is a fully managed service that provides centralized network protection for Amazon Virtual Private Clouds (VPCs). It enables you to inspect, monitor, and log network traffic at scale, helping you enforce consistent security controls across your workloads.
How AWS Network Firewall Inspects Traffic
When a packet enters AWS Network Firewall, inspection occurs in two stages:
- Stateless rule inspection
- Stateful rule inspection (if required)
Packets are always evaluated by the stateless rules engine first. Based on the configured action and firewall policy, traffic may then be forwarded to the stateful rules engine for deeper inspection.
VPC Route Table Design for Network Firewall
AWS Network Firewall requires a dedicated firewall subnet.
No other resources should be deployed in this subnet.
Public Subnet Route Table
Traffic from public subnets is routed through the firewall endpoint to ensure inspection before reaching the internet or internal destinations.
Private Subnet Route Table
Outbound traffic from private subnets is routed to a NAT Gateway, which forwards traffic to the firewall for inspection.
NAT Gateway Subnet Route Table
The NAT Gateway must reside in a separate subnet.
Traffic from the NAT Gateway is routed to the Network Firewall endpoint.
Firewall Ingress Route Table
This route table controls incoming traffic to the firewall.
- Requires edge association
- No subnet association is required
Stateless Rule Inspection
During stateless inspection, each individual packet is evaluated against all stateless rules in the firewall policy.
Key Characteristics
- Rules are evaluated strictly by priority
- Lower numbers have higher precedence (for example, 10 is evaluated before 100)
Each rule must define one of the following actions:
Pass – Allow the packet and stop further inspection
Drop – Block the packet and stop further inspection
Forward to stateful rules – Forward the packet to the stateful rule engine
Priority Example
In this example:
- Rule priority 1 allows traffic from a specific IP
- A subsequent rule denies all traffic
If the allow rule’s priority is changed from 1 to 11, rule 10 takes precedence and all traffic is dropped.
Stateful Rule Inspection
Stateful inspection follows a different evaluation logic.
The stateful rules engine processes rules in the following order:
- Pass
- Drop
- Alert
The engine stops processing as soon as the first match is found.
Typical use cases include:
- Allowing access only to approved domain lists
- Restricting access to unauthorized third-party repositories
- Enforcing strict outbound (egress) traffic controls
The firewall also considers:
- The order of rules within the rule group
- The priority assigned to rules (if configured)
Stateful Rule Priority Behavior
- A pass rule with priority 1 is evaluated before a pass rule with priority 2
- All pass rules are evaluated before any drop rules, regardless of priority
For example, a drop rule with priority 1 is still evaluated after all pass rules.
Logging and Visibility
AWS Network Firewall integrates with Amazon CloudWatch Logs to provide:
- Visibility into allowed and blocked traffic
- Alert event tracking
- Audit and troubleshooting capabilities
Below is an example of blocked traffic captured as alert events.
Summary
- AWS Network Firewall provides centralized and scalable traffic inspection
- Stateless rules are evaluated first and strictly by priority
- Stateful rules are evaluated by action order (Pass → Drop → Alert)
- Proper route table design is essential for correct traffic flow
- CloudWatch Logs provide deep visibility into firewall activity
Top comments (0)