Access Amazon Network Firewall using an interface endpoint - Amazon Network Firewall
ConsiderationsCreate an interface endpointCreate a VPC endpoint policyExample VPC endpoint policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access Amazon Network Firewall using an interface endpoint

You can create a private connection between your VPC and Amazon Network Firewall. You can access Amazon Network Firewall as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon Network Firewall.

For more information, see Access an Amazon service using an interface VPC endpoint in the Amazon PrivateLink Guide.

Considerations for Amazon Network Firewall

Before you set up an interface endpoint for Amazon Network Firewall, review Interface endpoint properties and limitations in the Amazon PrivateLink Guide.

Amazon Network Firewall supports making calls to all of its API actions through the interface endpoint.

Before you set up interface VPC endpoints for Network Firewall, be aware of the following considerations:

  • VPC endpoints currently don't support cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to issue your API calls to Network Firewall.

  • VPC endpoints only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the Amazon VPC User Guide.

  • The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the VPC.

  • VPC interface endpoints are supported in all Amazon Web Services Regions supported by Network Firewall.

Create an interface VPC endpoint for Amazon Network Firewall

You can create an interface VPC endpoint using the Amazon VPC Console. For more information, see Create an interface endpoint in the Amazon PrivateLink Guide.

When you create an interface VPC endpoint, use the following service name:

com.amazonaws.region.network-firewall

For example:

com.amazonaws.us-west-2.network-firewall

Create a VPC endpoint policy for Amazon Network Firewall

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon Network Firewall through the interface endpoint. To control the access allowed to Amazon Network Firewall from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

  • The principals that can perform actions (Amazon Web Services accounts, users, and IAM roles).

  • The actions that can be performed.

  • The resources on which the actions can be performed.

Example: VPC endpoint policy for Amazon Network Firewall

The following is an example of a custom endpoint policy. When you attach this policy to your interface VPC endpoint, it grants access to the Amazon Network Firewall actions for all principals on all resources.

{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "network-firewall:ListFirewalls",
            "network-firewall:DescribeFirewall"
         ],
         "Resource":"*"
      }
   ]
}