AWS, Cloud Computing

8 Mins Read

Introducing AWS Network Firewall: Step-By-Step Guide To Provisioning AWS Network Firewall– Part 1


1. Overview
2. Prerequisites
3. AWS Services Used
4. Resources in AWS providing similar Security Services
5. Deployment Architecture
7. Overview of steps involved
8. Step by Step Guide to Provisioning AWS Network Firewall
9. Conclusion
10. About CloudThat
11. FAQs

1. Overview:

AWS Network Firewall is the recently launched, fully managed, highly available, and scalable managed network by AWS, providing security for the VPC’s workloads.

2. Prerequisites:

3. AWS Services Used:

4. Resources in AWS providing similar Security Services:

Before going deep inside the AWS network firewall. Let us see the capabilities we have in terms of security for the VPC.

There is no easier way to scale network security across all your resources in your workloads regardless of which AWS service you use.

So far, how the traffic is routed to the subnet is:

There was no middleman or service to inspect the Internet gateway and subnet traffic

There was no capability to restrict the traffic to the specific URL

AWS Network Firewall is a highly available and scalable managed network by AWS, providing security for the VPC’s workloads

How Traffic Flow inspection is Achieved:

The way Traffic Flow inspection is Achieved here is:

In this blog, we are going to deploy the Network Firewall according to the architecture below.

5. Deployment Architecture:

AWS Network Firewall Architecture

6. Overview of steps involved:

Please follow the values of Ip addresses given in the Architecture diagram to avoid confusion.

7. Step by Step Guide to Provisioning AWS Network Firewall:

Step 1: Go to the AWS console and go to the VPC page. Select the Network Firewall Rule policy

AWS Network Firewall

Step 2: Select Create Network Rule policy

AWS Network Firewall

Here, you can see there are two Rule Groups

AWS Network Firewall

You can see there are three types of rules in the stateful rule group.

We have three options:

1: 5-tupple

2: Domain list

3: Suricata computable IPS rules

AWS Network Firewall

In 5-tupple you need to provide the below options:

1: protocol:

2: source Ip

3: Source port:

4: Destination:

5: Destination Port:

Traffic Direction

1: Any

2: Forward


1: Pass (the traffic will be allowed)

2: Drop (the traffic will be denied)

3: Alert (alert will be initiated in log groups or in CloudWatch)

In DOMAINLIST you need to provide details for the below option

AWS Network Firewall


AWS Network Firewall

Need to provide details for:

In ADD Rule

AWS Network Firewall

You will get the Same options in stateless rules like stateful rule.

NOTE:  If any rule is evaluated and matched, then it won’t evaluate any further rules.

Choose according to the above-mentioned rules what Action you want to. take.

1: pass

2: Drop

3: forward

Step 3: Select Stateful Rules Option. There Select Domain list option.

Step 4: Here provide the name “Stateful-Rule”. Provide “” in the domain name source.

AWS Network Firewall

Step 5: Create Firewall Policies. Give any name, Click Next.

AWS Network Firewall

Step 6: In Add rule Groups, scroll down to the stateful group section, and add the Stateful group created in step 4. Add Rule Groups. Select the Stateful-Rule And click Add Rule Groups.

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

Step 7: Select Next, Again Next. Finally, create the Network policy.

Step 8: Create Network Firewall. Select The Network policy we created in the above steps. Give A name to Firewall.

Select VPC main. Provide the availability zone as us-east

-2a. Select Firewall subnet.

Select the Associate an Existing Firewall policy radio button and select your Network policy created in step 7. Click Create Firewall.

AWS Network Firewall

AWS Network Firewall

AWS Network Firewall

Step 9: Make sure You have done the subnet associated with the respective route table.

Step 10: Create on windows instance in the main subnet and browse for

Step 11: Now, edit the routes in the routing table. Attach the IGW route to the firewall subnet and attach a copy network interface from the endpoint to the Main subnet.

Add internet gateway in edge association of the “internet-gateway-route-table” route table created before.

Add Main subnet CIDR value in Destination and VPC network interface in the target in the “internet-gateway-route-table.”

Routes of IGW route table.

AWS Network Firewall

Routes of Firewall route table

AWS Network Firewall

Route of the main route table

AWS Network Firewall

Edge association of IGW route table.

AWS Network Firewall

Thus, we have configured the routes in such a way that, any traffic that comes to the main subnet from the internet gateway should pass through the Firewall subnet and vice versa.

Now check the in windows instance.

AWS Network Firewall

Successfully we blocked the traffic from that site.

8. Conclusion:

AWS Network Firewall decreases the risk to the internal network and workloads, providing better security for the services to keep it private. I hope that this post helped clarify the Concepts of the AWS Network Firewall.

9. About CloudThat:

CloudThat is AWS (Amazon Web Services) Advanced Consulting Partner, AWS authorized Training Partner, Microsoft Gold Partner, and Winner of the Microsoft Asia Superstar Campaign for India: 2021.

We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere to advance in their businesses.

To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings. Then, you can quickly get in touch with our highly accomplished team of experts to carry out your migration needs. Feel free to drop a comment or any queries that you have about AWS Network Firewall, provisioning Network Firewall, or security, we will get back to you quickly.

10. FAQs:

Q1. What is an important advantage of AWS Network Firewall?

Ans: AWS Network Firewall is an intrusion protection service where Inspection of the Inbound traffic will be going to achieve at the entrance, that is before the traffic reach the subnet.

Q2. What are the capabilities, in terms of security for the services and workloads in AWS?

Ans: We have a few services like Security Groups, which provide security for the instance level. Network Control List, which provides the security for the Subnet level. AWS WAF provides the security for the workload or applications that are running on the CloudFront, load balancers, and API. AWS shield provides security against DDoS attacks.

Voiced by Amazon Polly

WRITTEN BY Karthik Kumar P V

Karthik Kumar Patro Voona is a Research Associate (Kubernetes) at CloudThat Technologies. He Holds Bachelor's degree in Information and Technology and has good programming knowledge of Python. He has experience in both AWS and Azure. He has a passion for Cloud-computing and DevOps. He has good working experience in Kubernetes and DevOps Tools like Terraform, Ansible, and Jenkins. He is a very good Team player, Adaptive and interested in exploring new technologies.



  1. Saritha Nagaraju

    May 27, 2022


    Good Job Karthik!! Look forward to more informative blogs like the above ones.

  2. Shivani Gandhi

    May 16, 2022


    Very informative & helpful.

  3. Click to Comment