Introduction
AWS Network Firewall is a managed service that provides network protection for your Amazon Virtual Private Clouds (VPCs). It allows you to deploy network security across your VPCs with just a few clicks. This powerful tool combines stateful and stateless firewall capabilities, intrusion prevention features, and the ability to filter network traffic at the application layer.
Key Features and Characteristics
AWS Network Firewall offers several important features:
- Stateful Inspection: Tracks the state of network connections and applies rules based on the context of the traffic.
- Stateless Packet Filtering: Allows or blocks traffic based on individual packets without considering the connection state.
- Intrusion Prevention System (IPS): Actively monitors network traffic for suspicious activity and can take immediate action to prevent threats.
- Domain Name Filtering: Enables blocking or allowing outbound requests based on domain names.
- Protocol Detection: Identifies applications regardless of ports and protocols used.
- Centralized Management: Provides a single point of control for multiple VPCs and accounts.
Deployment Models
AWS Network Firewall supports two primary deployment models:
1. Centralized Deployment Model
In this model, a central VPC acts as a hub for inspection of all traffic:
- Traffic from multiple VPCs is routed through a central VPC where the Network Firewall is deployed.
- Pros:
- Simplified management
- Cost-effective for large deployments
- Cons:
- Potential single point of failure
- May require significant changes to existing network architecture
[VPC1] --\\\\
[VPC2] ----[Central VPC with Network Firewall]----[Internet]
[VPC3] --/
2. Distributed Deployment Model