Creating a firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a firewall

To follow this procedure, the VPC that you want to protect must have at least one subnet available to host a firewall endpoint. For information, see VPC subnets.

To create a firewall through the console
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at

  2. In the navigation pane, under Network Firewall, choose Firewalls.

  3. Choose Create firewall.

  4. Enter a Name to identify this firewall.


    You can't change the name after you create the firewall.

  5. (Optional) Enter a Description for the firewall to help you identify it among your other resources.

  6. Choose Next.

  7. Choose your VPC from the dropdown list.


    You can't change the VPC after you create the firewall.

  8. For Firewall subnets, choose the Availability Zones and subnets that you want to use for your firewall endpoints. You can choose up to one subnet for each Availability Zone that your VPC spans. The subnets should be dedicated for Network Firewall firewall use. For more information, see VPC subnets.

  9. Choose Next.

  10. (Optional) Under Protection against changes, optionally enable Deletion protection and Subnet change protection to protect your firewall against accidental changes.

  11. (Optional) Under Customer managed key, optionally toggle Customize encryption settings to use a Amazon Key Management Service customer managed key to encrypt your resources. For more information about this option, see Encryption at rest with Amazon Key Management Service.

  12. Choose Next.

  13. For the Associate firewall policy section, choose the firewall policy that you want to associate with the firewall. If you already have a firewall policy defined, you can select it. Otherwise, you can associate an empty policy, which you must name permanently here. If you associate an empty policy, Network Firewall creates the policy and you can define its rules and other settings using the procedure at Creating a firewall policy.

  14. Choose Next.

  15. (Optional) For the Add tags - optional section, assign key-value tags to your firewall. For information about tagging your Amazon resources, see Tagging Amazon Network Firewall resources.

  16. Choose Create firewall.

Your new firewall is added to the list in the Firewalls page.

Perform the following additional steps to finish configuring your new firewall and start using it to filter your network traffic.