Using Amazon Network Firewall policies in Firewall Manager
This section explains how to use Amazon Network Firewall policies with Firewall Manager.
You can use Amazon Firewall Manager Network Firewall policies to manage Amazon Network Firewall firewalls for your Amazon Virtual Private Cloud VPCs across your organization in Amazon Organizations. You can apply centrally controlled firewalls to your entire organization or to a select subset of your accounts and VPCs.
Network Firewall provides network traffic filtering protections for the public subnets in your VPCs. Firewall Manager creates and manages your firewalls based on the firewall management type defined by your policy. Firewall Manager provides the following firewall management models:
Distributed - For each account and VPC that's within policy scope, Firewall Manager creates a Network Firewall firewall and deploys firewall endpoints to VPC subnets, to filter network traffic.
Centralized - Firewall Manager creates a single Network Firewall firewall in a single Amazon VPC.
Import existing firewalls - Firewall Manager imports existing firewalls for management in a single Firewall Manager policy. You can apply additional rules to the imported firewalls managed by your policy to ensure that your firewalls meet your security standards.
Note
Firewall Manager Network Firewall policies are Firewall Manager policies that you use to manage Network Firewall protections for your VPCs across your organization.
The Network Firewall protections are specified in resources in the Network Firewall service that are called firewall policies.
For information about using Network Firewall, see the Amazon Network Firewall Developer Guide.
The following sections cover requirements for using Firewall Manager Network Firewall policies and describe how the policies work. For the procedure for creating the policy, see Creating an Amazon Firewall Manager policy for Amazon Network Firewall.
Important
You must enable resource sharing. A Network Firewall policy shares Network Firewall rule groups across the accounts in your organization. For this to work, you must have resource sharing enabled for Amazon Organizations. For information about how to enable resource sharing, see Resource sharing for Network Firewall and DNS Firewall policies.
Important
You must have your Network Firewall rule groups defined. When you specify a new Network Firewall policy, you define the firewall policy the same as you do when you're using Amazon Network Firewall directly. You specify the stateless rule groups to add, default stateless actions, and stateful rule groups. Your rule groups must already exist in the Firewall Manager administrator account for you to include them in the policy. For information about creating Network Firewall rule groups, see Amazon Network Firewall rule groups.