By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(For AWS Solutions Architect – Associate & Real-World Deployments)
AWS Network Firewall (ANFW) is a managed, stateful, Layer 3–7 firewall that inspects and filters traffic at the VPC level—not just at the instance (like Security Groups) or subnet (like NACLs). Think of it as a corporate security guard for your entire VPC, not just a bouncer at the door of a single bar.
prod-db
app-tier
You’re migrating a legacy on-prem app to AWS. The app has strict compliance requirements: all traffic must be inspected for SQL injection, malware, and unauthorized access. Your security team demands logs for every dropped packet. Security Groups and NACLs can’t do this—you need AWS Network Firewall.
app.example.com
✅ AWS account with admin IAM permissions (or at least NetworkFirewall:*).✅ A VPC with at least 2 subnets (one for workloads, one for the firewall).✅ AWS CLI installed and configured (aws configure).
NetworkFirewall:*
aws configure
Goal: Define what traffic is allowed/blocked.
# Create a stateless rule group (allow TCP 443, deny everything else) aws network-firewall create-rule-group \ --rule-group-name "allow-https-stateless" \ --type STATELESS \ --capacity 100 \ --rule-group '{ "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [{"AddressDefinition": "0.0.0.0/0"}], "Destinations": [{"AddressDefinition": "0.0.0.0/0"}], "Protocols": [6], # TCP "DestinationPorts": [{"FromPort": 443, "ToPort": 443}] }, "Actions": ["aws:pass"] }, "Priority": 1 } ] } } }' # Create a stateful rule group (block known malicious IPs) aws network-firewall create-rule-group \ --rule-group-name "block-malicious-ips" \ --type STATEFUL \ --capacity 100 \ --rule-group '{ "RulesSource": { "RulesString": "drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:\"Block known malicious IP\"; sid:1000001; rev:1;)" } }' # Create a firewall policy (combine rule groups) aws network-firewall create-firewall-policy \ --firewall-policy-name "prod-firewall-policy" \ --firewall-policy '{ "StatelessRuleGroupReferences": [ {"ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/allow-https-stateless"} ], "StatefulRuleGroupReferences": [ {"ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/block-malicious-ips"} ], "StatelessDefaultActions": ["aws:drop"], "StatelessFragmentDefaultActions": ["aws:drop"] }'
Verification:
aws network-firewall describe-firewall-policy --firewall-policy-name "prod-firewall-policy"
(Should return your policy with both rule groups attached.)
Goal: Attach the firewall to your VPC.
# Create the firewall (replace subnet IDs with your own) aws network-firewall create-firewall \ --firewall-name "prod-firewall" \ --firewall-policy-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/prod-firewall-policy" \ --vpc-id "vpc-12345678" \ --subnet-mappings "SubnetId=subnet-12345678" "SubnetId=subnet-87654321" # One per AZ
aws network-firewall describe-firewall --firewall-name "prod-firewall"
(Wait for FirewallStatus.Status to become READY—takes ~5 mins.)
FirewallStatus.Status
READY
Goal: Force all traffic to pass through the firewall.
Identify the firewall endpoint ENIs: bash aws ec2 describe-network-interfaces \ --filters "Name=description,Values=AWS Network Firewall Endpoint" \ --query "NetworkInterfaces[*].NetworkInterfaceId" \ --output text (Example output: eni-12345678 eni-87654321)
bash aws ec2 describe-network-interfaces \ --filters "Name=description,Values=AWS Network Firewall Endpoint" \ --query "NetworkInterfaces[*].NetworkInterfaceId" \ --output text
eni-12345678 eni-87654321
Update route tables:
0.0.0.0/0
bash # Example: Update private subnet route table aws ec2 create-route \ --route-table-id "rtb-12345678" \ --destination-cidr-block "0.0.0.0/0" \ --network-interface-id "eni-12345678"
Verification:- Launch an EC2 instance in the private subnet.- Try to curl google.com—it should fail (because we blocked everything except HTTPS).- Try curl https://google.com—it should work.
curl google.com
curl https://google.com
Goal: Send firewall logs to CloudWatch for auditing.
# Create a CloudWatch Logs group aws logs create-log-group --log-group-name "/aws/network-firewall/prod-firewall" # Update the firewall to enable logging aws network-firewall update-logging-configuration \ --firewall-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall/prod-firewall" \ --logging-configuration '{ "LogDestinationConfigs": [ { "LogType": "ALERT", "LogDestinationType": "CloudWatchLogs", "LogDestination": {"logGroup": "/aws/network-firewall/prod-firewall"} }, { "LogType": "FLOW", "LogDestinationType": "CloudWatchLogs", "LogDestination": {"logGroup": "/aws/network-firewall/prod-firewall"} } ] }'
aws logs get-log-events --log-group-name "/aws/network-firewall/prod-firewall" --log-stream-name "alerts"
(Should show blocked/allowed traffic.)
network-firewall:*
logs:*
bash aws network-firewall describe-rule-group --rule-group-arn "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/block-malicious-ips"
Environment=prod
Owner=security-team
NetworkFirewall > Firewall > DroppedPackets
NetworkFirewall > Firewall > PassedPackets
StatelessDefaultActions: ["aws:drop"]
❌ NACLs (stateless, subnet-level)
"You need to block SQL injection attacks at the VPC level. Which service?"
❌ WAF (only for ALB/CloudFront/API Gateway)
"How do you ensure all traffic passes through the firewall?"
Challenge:Deploy a Network Firewall that blocks all outbound traffic except HTTPS (TCP 443) to google.com. Test it by launching an EC2 instance and trying to curl different domains.
google.com
curl
Solution:1. Create a stateful rule group with: json { "RulesSource": { "RulesString": "pass tcp any any -> 142.250.190.46 443 (msg:\"Allow HTTPS to Google\"; sid:1000002; rev:1;)" } } (Replace 142.250.190.46 with Google’s IP—find it via dig google.com.)
json { "RulesSource": { "RulesString": "pass tcp any any -> 142.250.190.46 443 (msg:\"Allow HTTPS to Google\"; sid:1000002; rev:1;)" } }
142.250.190.46
dig google.com
Attach it to your firewall policy.
Test: bash curl https://google.com # Should work curl http://example.com # Should fail
bash curl https://google.com # Should work curl http://example.com # Should fail
Why It Works:- The rule explicitly allows HTTPS to Google’s IP.- The default action is "deny-all", so everything else is blocked.
aws network-firewall create-firewall
aws network-firewall create-rule-group
STATELESS
STATEFUL
ALERT
FLOW
AWS-AWSManagedRulesCommonRuleSet
"AWS Network Firewall is like a bouncer at a nightclub—it doesn’t just check IDs (ports/protocols), it also scans for weapons (malware, SQLi). But if you don’t route traffic through it, it’s just an expensive decoration."
Now go deploy one! ?
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.