AWS Services

AWS Network Firewall

Understand Network Firewall for managed VPC traffic inspection, including firewall endpoints, stateless and stateful rules, deployment models, routing, logging, and SAA-C03 signals.

foundation6 min readUpdated 2026-06-02CloudCertificationNetworkingSecurityOperations
Network FirewallFirewall EndpointFirewall PolicyStateless RuleStateful RuleSuricata RulesInspection VPCFirewall Logging

After this, you will understand

Network Firewall helps learners move beyond security groups and NACLs into centralized, managed traffic inspection for VPC architectures.

Plain version

AWS Network Firewall deploys managed firewall endpoints into VPC subnets and inspects network traffic using stateless and stateful rules.

Decision pressure

Learners try to use security groups or NACLs for deep traffic inspection, domain-aware rules, intrusion prevention, or centralized egress filtering.

Exam-ready model

Route selected VPC traffic through Network Firewall endpoints, then use firewall policies, logging, and centralized deployment patterns to inspect and control traffic.

Think before readingWhy is Network Firewall different from a security group?
A security group is stateful allow-listing at the resource ENI level; Network Firewall is a managed inspection service that can apply stateless and stateful firewall rules to routed traffic.

Reading in progress

This page is saved in your local study history so you can continue later.

Next: AWS Firewall Manager

Study path

Read these in order

Start with the mechanics, then move into the patterns that explain why the system is shaped this way.

  1. 1AWS Firewall Manageraws-services
  2. 2Route 53 Resolver DNS Firewallaws-services

Concepts Covered

  • AWS Network Firewall
  • Firewall endpoints
  • Firewall policies
  • Stateless rules
  • Stateful rules
  • Domain list and Suricata-compatible rules
  • Inspection VPC patterns
  • Route table design
  • Logging and monitoring
  • Network Firewall versus security groups, NACLs, WAF, and DNS Firewall

1. Plain-English Mental Model

AWS Network Firewall is managed network traffic inspection for VPCs.

The simple model is:

VPC traffic -> route table -> firewall endpoint -> firewall policy -> next hop

You deploy firewall endpoints into subnets, then route selected traffic through those endpoints. Network Firewall evaluates the traffic using a firewall policy made of stateless and stateful rules.

Security groups and NACLs are basic network controls. Network Firewall is deeper inspection. It can support patterns such as centralized egress filtering, intrusion prevention style rules, domain filtering, and network-layer policy enforcement.

It is not the same as AWS WAF. WAF inspects HTTP and HTTPS requests at supported application entry points. Network Firewall inspects routed VPC network traffic.

2. Why This Service Exists

VPC networking often starts simple:

public subnet -> load balancer
private subnet -> application
database subnet -> database

Security groups and NACLs may be enough for early workloads. But larger environments need stronger network policy: inspect outbound traffic, block known bad destinations, enforce domain allow lists, detect suspicious protocols, segment VPCs, and centralize inspection across many accounts.

Building this yourself with EC2 firewall appliances adds patching, scaling, high availability, routing, and operations work.

Network Firewall exists to provide managed, scalable firewall inspection inside AWS networking.

For SAA-C03, it appears in questions about VPC traffic inspection, centralized egress filtering, managed network firewalling, stateless and stateful rules, logging firewall activity, and inspecting traffic before it reaches or leaves workloads.

3. The Naive Approach And Where It Breaks

The naive design uses only security groups:

application security group -> allow HTTPS outbound to 0.0.0.0/0

That may be acceptable for simple workloads, but it does not inspect payloads, domains, protocol behavior, or suspicious traffic patterns.

Another naive design uses NACLs for deep inspection. NACLs are stateless subnet boundary rules. They are not intrusion prevention systems and do not understand application protocols deeply.

Another mistake is deploying Network Firewall but forgetting route tables. The firewall sees only traffic that routing sends through it. If a subnet still routes directly to an internet gateway, NAT gateway, transit gateway, or peering attachment, the traffic may bypass inspection.

Network Firewall is a routing design as much as a firewall policy.

4. Core Primitives

A firewall is the Network Firewall resource deployed in a VPC.

A firewall endpoint is created in each selected Availability Zone subnet. Traffic is routed to these endpoints.

A firewall policy defines how traffic is evaluated.

Stateless rule groups inspect packets independently. They are useful for fast packet-level decisions.

Stateful rule groups inspect traffic in connection context. They can support Suricata-compatible rules and domain list rules.

Rule actions include pass, drop, alert, and forwarding behavior depending on stateless or stateful context.

Logging can send flow logs and alert logs to supported destinations such as CloudWatch Logs, S3, or Kinesis Data Firehose.

Firewall Manager can centrally deploy and manage Network Firewall policies across accounts.

5. Architecture Use Cases

Use Network Firewall for centralized egress inspection from private subnets before traffic reaches NAT gateways or internet egress.

Use it in an inspection VPC with Transit Gateway when many workload VPCs need centralized network inspection:

workload VPC -> Transit Gateway -> inspection VPC -> Network Firewall -> egress

Use stateful domain list rules when outbound traffic should be limited to approved domains.

Use Suricata-compatible rules when the security team needs intrusion detection or prevention style signatures.

Use logging to investigate blocked traffic, rule matches, and suspicious flows.

Use Network Firewall together with WAF and Shield. WAF handles application-layer HTTP rules. Shield handles DDoS. Network Firewall handles routed network inspection.

7. Security Model

Network Firewall security depends on routing, rule design, IAM access, and logging.

Only trusted network or security teams should edit production firewall policies. A bad rule can block critical traffic or allow risky paths.

Route tables must force intended traffic through firewall endpoints. Bypass routes weaken the control.

Keep firewall endpoints highly available by deploying in multiple Availability Zones and routing same-AZ traffic where possible.

Logs can contain sensitive network metadata, domains, source and destination IPs, and threat indicators. Protect log destinations.

Use change control for firewall policy updates and test rules before broad rollout.

8. Reliability And Resilience

Network Firewall is managed and scales, but your routing architecture affects reliability.

Deploy firewall endpoints in every Availability Zone where traffic needs inspection. Avoid forcing all traffic through one AZ endpoint if the workload spans multiple AZs.

Route table mistakes can create black holes. If the firewall subnet, workload subnet, NAT path, or transit gateway route is wrong, traffic can fail even though the firewall is healthy.

Firewall policies can also create outages through false positives or overly broad drops.

Use logs, metrics, and staged rule deployment. Start with alerting where appropriate before enforcing disruptive rules.

9. Performance And Scaling

Network Firewall is designed for high-scale managed inspection, but architecture still matters.

Traffic hairpinning through centralized inspection can add latency and data transfer cost.

Same-AZ routing patterns can reduce cross-AZ dependencies.

Stateful rules may be more expensive operationally than simple packet filtering because they inspect connection context.

Centralized inspection simplifies policy but can concentrate traffic paths. Distributed firewalls place inspection closer to workloads but require more deployment management.

Choose based on traffic volume, account strategy, security ownership, and routing complexity.

10. Cost Model

Network Firewall costs include firewall endpoint hours and traffic processing, with log storage and analysis costs separate.

Centralized inspection can add Transit Gateway, cross-AZ, NAT, and data processing charges.

The cost should be compared with EC2 firewall appliances, unmanaged inspection gaps, and security incident risk.

Do not route every byte through inspection if only specific flows need it, unless policy requires universal inspection.

Use Firewall Manager when organization-wide deployment would otherwise create high manual operations cost.

12. SAA-C03 Exam Signals

"Managed network firewall for VPC traffic" points to Network Firewall.

"Inspect outbound traffic from private subnets" points to Network Firewall.

"Stateful and stateless rule groups" points to Network Firewall.

"Suricata-compatible rules" points to Network Firewall.

"HTTP SQL injection or XSS filtering" points to WAF, not Network Firewall.

"DNS domain block lists for resolver queries" points to Route 53 Resolver DNS Firewall.

"Centrally deploy firewall policies across accounts" points to Firewall Manager.

13. Common Exam Traps

Do not confuse Network Firewall with security groups.

Do not confuse Network Firewall with AWS WAF.

Do not forget that routing determines whether traffic reaches the firewall.

Do not deploy only one firewall endpoint for multi-AZ critical traffic.

Do not assume alerting rules block traffic.

Do not ignore firewall logs when troubleshooting reachability.

Review VPC Networking Model, Security Groups vs NACLs, AWS Transit Gateway, AWS Firewall Manager, and AWS WAF.

Official AWS references:

What to study next

These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.