![top home network inspector top home network inspector](https://www.inspectaman.com/wp-content/uploads/2020/09/china-quality-control.jpg)
We refer to this VPC as inspection VPC throughout this blog post.
![top home network inspector top home network inspector](https://www.topinspection.com/Public/Home/img/bg2.jpg)
When a network packet arrives to AWS Network Firewall, it enters rules engine and gets inspected. It preserves source and destination IP addresses. We call this workload subnet a protected subnet as all traffic to the internet is now inspected and protected by AWS Network Firewall.įigure 1: AWS Network Firewall deployed in a single AZ and traffic flow for a workload in a public subnetĪWS Network Firewall is completely transparent to the traffic flow and does not perform network address translation (NAT).
![top home network inspector top home network inspector](https://woofresh.com/wp-content/uploads/2016/12/Home-Inspection-Software.png)
If you are not familiar with this feature, see documentation for more details in addition to the VPC Ingress Routing blog post. In figure 1, we insert firewall endpoint in the path between a workload subnet and internet gateway (IGW) using VPC Ingress Routing feature. To have your network traffic inspected by AWS Network firewall, you must direct traffic to firewall endpoint using VPC route tables. Firewall endpoint capability is powered by AWS Gateway Load Balancer and therefore elastic network interface (ENI) of the endpoint is “gateway_load_balancer_endpoint” type. As mentioned earlier, firewall endpoint is similar to interface endpoint and it shows up as vpce-id in your VPC route table target selection. Once AWS Network Firewall is deployed, you will see a firewall endpoint in each firewall subnet. For high availability (HA) and Multi-AZ deployments, allocate a subnet per Availability Zone (AZ). As a best practice, do not use AWS Network Firewall subnet to deploy any other services since AWS Network Firewall is not able to inspect traffic from sources or destinations within firewall subnet. Depending on the use case and deployment model, the firewall subnet could be either public or private. We call this subnet an AWS Network Firewall subnet or simply firewall subnet. AWS Network Firewall endpoint is deployed into a dedicated subnet of a VPC. The key difference is that it can be a route table target. This firewall endpoint is similar to PrivateLink VPC interface endpoint. To apply traffic-filtering logic provided by AWS Network Firewall, you must route traffic symmetrically to the AWS Network Firewall endpoint. Before we look at deployment models, let’s first understand how AWS Network Firewall works. Keep reading this post if you’re familiar with AWS Network Firewall, as we focus on deployment models for common use cases where AWS Network Firewall could be added into the traffic path. Start there if AWS Network Firewall is new to you. In AWS Network Firewall – New Managed Firewall Service in VPC (blog post) we explain the features and use cases for AWS Network Firewall. It is designed for scale and supports tens of thousands of rules. For these customers, we built AWS Network Firewall – a stateful, managed, network firewall and intrusion prevention service for your VPC.
![top home network inspector top home network inspector](https://accuratehi.net/wp-content/uploads/2017/02/scheduleimage-768x576.jpg)
Many customers have requirements beyond the scope of these network security controls, such as deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS).Īt scale, customers require many more rules compared to what is supported in SGs and NACLs today. With Amazon Virtual Private Cloud (VPC), customers are able to control network security using Network Access Control Lists (NACL) and Security Groups (SG). 1: With recent enhancements to VPC routing primitives and how it unlocks additional deployment models for AWS Network Firewall along with the ones listed below, read part 2 of this blog post here.ĪWS services and features are built with security as a top priority.