AWS::NetworkFirewall::RuleGroup RulesSourceList - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::NetworkFirewall::RuleGroup RulesSourceList

Stateful inspection criteria for a domain list rule group.

For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.

By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the HOME_NET rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see AWS::NetworkFirewall::RuleGroup RuleVariables in this guide and Stateful domain list rule groups in Amazon Network Firewall in the Network Firewall Developer Guide


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "GeneratedRulesType" : String, "Targets" : [ String, ... ], "TargetTypes" : [ String, ... ] }


GeneratedRulesType: String Targets: - String TargetTypes: - String



Whether you want to allow or deny access to the domains in your target list.

Required: Yes

Type: String

Allowed values: ALLOWLIST | DENYLIST

Update requires: No interruption


The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:

  • Explicit names. For example, matches only the domain

  • Names that use a domain wildcard, which you indicate with an initial '.'. For example, matches and matches all subdomains of, such as and

Required: Yes

Type: Array of String

Update requires: No interruption


The types of targets to inspect for. Valid values are TLS_SNI and HTTP_HOST.

Required: Yes

Type: Array of String

Update requires: No interruption