Depending on the use case and deployment model, the firewall subnet could be either public or private. We call this subnet an AWS Network Firewall subnet or simply firewall subnet. AWS Network Firewall endpoint is deployed into a dedicated subnet of a VPC.
The key difference is that it can be a route table target. This firewall endpoint is similar to PrivateLink VPC interface endpoint. To apply traffic-filtering logic provided by AWS Network Firewall, you must route traffic symmetrically to the AWS Network Firewall endpoint.
Before we look at deployment models, let’s first understand how AWS Network Firewall works. Keep reading this post if you’re familiar with AWS Network Firewall, as we focus on deployment models for common use cases where AWS Network Firewall could be added into the traffic path. Start there if AWS Network Firewall is new to you. In AWS Network Firewall – New Managed Firewall Service in VPC (blog post) we explain the features and use cases for AWS Network Firewall. It is designed for scale and supports tens of thousands of rules. For these customers, we built AWS Network Firewall – a stateful, managed, network firewall and intrusion prevention service for your VPC. Many customers have requirements beyond the scope of these network security controls, such as deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS).Īt scale, customers require many more rules compared to what is supported in SGs and NACLs today. With Amazon Virtual Private Cloud (VPC), customers are able to control network security using Network Access Control Lists (NACL) and Security Groups (SG). 1: With recent enhancements to VPC routing primitives and how it unlocks additional deployment models for AWS Network Firewall along with the ones listed below, read part 2 of this blog post here.ĪWS services and features are built with security as a top priority.
0 kommentar(er)
