Filter network traffic using Amazon Network Firewall - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Filter network traffic using Amazon Network Firewall

You can filter network traffic at the perimeter of your VPC using Amazon Network Firewall. Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service. For more information, see the Amazon Network Firewall Developer Guide.

You implement Network Firewall with the following Amazon resources.

Network Firewall resource Description
Firewall A firewall connects a firewall policy's network traffic filtering behavior to the VPC that you want to protect. The firewall configuration includes specifications for the Availability Zones and subnets where the firewall endpoints are placed. It also defines high-level settings like the firewall logging configuration and tagging on the Amazon firewall resource.

For more information, see Firewalls in Amazon Network Firewall.

Firewall policy A firewall policy defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings. To use a firewall policy, you associate it with one or more firewalls.

For more information, see Firewall policies in Amazon Network Firewall.

Rule group A rule group is a reusable set of criteria for inspecting and handling network traffic. You add one or more rule groups to a firewall policy as part of your policy configuration. You can define stateless rule groups to inspect each network packet in isolation. Stateless rule groups are similar in behavior and use to Amazon VPC network access control lists (ACLs). You can also define stateful rule groups to inspect packets in the context of their traffic flow. Stateful rule groups are similar in behavior and use to Amazon VPC security groups.

For more information, see Rule groups in Amazon Network Firewall.

You can also use Amazon Firewall Manager to centrally configure and manage Network Firewall resources across your accounts and applications in Amazon Organizations. You can manage firewalls for multiple accounts using a single account in Firewall Manager. For more information, see Amazon Firewall Manager in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide.