Sharing Amazon Network Firewall resources - Amazon Network Firewall
Prerequisites for sharing Network Firewall resourcesRelated servicesSharing across Availability ZonesSharing a Network Firewall resourceUnsharing a shared Network Firewall resource
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing Amazon Network Firewall resources

You can share Network Firewall firewalls, firewall policies, and rule groups with other Amazon accounts. When you share a firewall, other accounts can use your firewall's protections in their VPCs through VPC endpoint associations. When you share firewall policies or rule groups, other accounts can use these resources in their own firewalls.

The owner of a firewall, firewall policy, or rule group can share a resource with:

  • Specific Amazon Web Services accounts inside or outside of its organization in Amazon Organizations

  • An organizational unit inside its organization in Amazon Organizations

  • Its entire organization in Amazon Organizations

Considerations

Consideration the following when sharing Amazon Network Firewall resources:

  • Sharing a firewall enables other Amazon accounts to create VPC endpoint associations in their VPCs. Each VPC endpoint association creates a new firewall endpoint that processes traffic according to the shared firewall's policy.

  • You can't share a firewall policy that's configured to use TLS inspection. TLS inspection only works with primary VPC endpoints and same-account secondary endpoints.

  • The owner of a rule group can share a rule group that refers to a resource group, but can't share the resource group itself.

For additional details on shareable Network Firewall resources, see Shareable resources in the Amazon RAM User Guide.

The owner of a rule group can share a rule group that refers to a resource group, but can't share the resource group itself.

Prerequisites for sharing Amazon Network Firewall resources

  • To share a firewall, firewall policy, or rule group, you must own it in your Amazon Web Services account. You cannot share a firewall, firewall policy, or rule group that has been shared with you.

  • To share a firewall, firewall policy, or rule group with your organization or an organizational unit in Amazon Organizations, you must enable sharing with Amazon Organizations. For more information, see Enable Sharing with Amazon Organizations in the Amazon RAM User Guide.

Firewall, firewall policy, and rule group sharing integrates with Amazon Resource Access Manager (Amazon RAM). Amazon RAM is a service that enables you to share your Amazon resources with any Amazon Web Services account or through Amazon Organizations. With Amazon RAM, you share resources that you own by creating a resource share. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can be individual Amazon Web Services accounts, organizational units, or an entire organization in Amazon Organizations.

For more information about Amazon RAM, see the Amazon RAM User Guide.

Sharing across Availability Zones

To ensure that resources are distributed across the Availability Zones for a Region, we independently map Availability Zones to names for each account. This could lead to Availability Zone naming differences across accounts. For example, the Availability Zone us-east-1a for your Amazon Web Services account might not have the same location as us-east-1a for another Amazon Web Services account.

To identify the location of your firewall, firewall policy, or rule group relative to your accounts, you must use the Availability Zone ID (AZ ID). The AZ ID is a unique and consistent identifier for an Availability Zone across all Amazon Web Services accounts. For example, use1-az1 is an AZ ID for the us-east-1 Region and it is the same location in every Amazon Web Services account.

To view the AZ IDs for the Availability Zones in your account

  1. Open the Amazon RAM console at https://console.amazonaws.cn/ram/home.

  2. The AZ IDs for the current Region are displayed in the Your AZ ID panel on the right-hand side of the screen.

Sharing an Amazon Network Firewall resource

To share a firewall, firewall policy, or rule group, you must add it to a resource share. A resource share is an Amazon RAM resource that lets you share your resources across Amazon Web Services accounts. A resource share specifies the resources to share, and the consumers with whom they are shared. When you share a firewall, firewall policy, or rule group using Amazon Network Firewall, you add it to an existing resource share. To add the firewall, firewall policy, or rule group to a new resource share, you must first create the resource share using the Amazon RAM console.

If you are part of an organization in Amazon Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared firewalls, firewall policies, and rule groups. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared firewalls, firewall policies, and rule groups after accepting the invitation.

You can share any Network Firewall resource that you own using the Amazon RAM console, the Amazon Network Firewall API, or the Amazon CLI.

To share a firewall, firewall policy, or rule group that you own using the Amazon RAM console

See Creating a Resource Share in the Amazon RAM User Guide.

To share a firewall, firewall policy, or rule group that you own using the Amazon CLI

Use the create-resource-share command.

To share a firewall, firewall policy, or rule group that you own using the Network Firewall API

Use the PutResourcePolicy action. For information about how to use this, see PutResourcePolicy in the Amazon Network Firewall API Reference.

You can see the sharing status of the firewalls that you own in the Network Firewall console on the firewall details page.

Unsharing a shared Amazon Network Firewall resource

When a firewall owner unshares a firewall, the following rules apply:

  • Existing VPC endpoint associations remain functional

  • The shared account (VPC endpoint association's account) cannot access or view firewall metadata

  • VPC endpoint association owners can still delete their associations

  • The firewall owner cannot delete their firewall until all VPC endpoint associations are deleted

To unshare a shared firewall, firewall policy, or rule group that you own, you must remove it from the resource share. You can do this using the Amazon RAM console or the Amazon CLI.

For more information about the impacts of unsharing a firewall, see Considerations for working with firewalls and firewall endpoints.

To unshare a shared firewall, firewall policy, or rule group that you own using the Amazon RAM console

See Updating a Resource Share in the Amazon RAM User Guide.

To unshare a shared firewall, firewall policy, or rule group that you own using the Amazon CLI

Use the disassociate-resource-share command.