Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Network Firewall: Zero-Fluff, Hands-On Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-network-firewall-zero-fluff-hands-on-study-guide

TECH **AWS Network Firewall: Zero-Fluff, Hands-On Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

AWS Network Firewall: Zero-Fluff, Hands-On Study Guide

(For AWS Solutions Architect – Associate & Real-World Deployments)


1. What This Is & Why It Matters

AWS Network Firewall (ANFW) is a managed, stateful, Layer 3–7 firewall that inspects and filters traffic at the VPC level—not just at the instance (like Security Groups) or subnet (like NACLs). Think of it as a corporate security guard for your entire VPC, not just a bouncer at the door of a single bar.

Why It Matters in Production

  • Compliance & Security: If you’re handling PCI-DSS, HIPAA, or SOC2, you must inspect and log all traffic entering/exiting your VPC. Security Groups and NACLs alone won’t cut it—they lack deep packet inspection (DPI) and stateful filtering.
  • Zero Trust: You can enforce micro-segmentation (e.g., "Only allow prod-db to talk to app-tier on port 3306, and block everything else").
  • Threat Protection: ANFW can block known malicious IPs, domains, and signatures (via AWS Managed Rules) before traffic hits your workloads.
  • Cost Efficiency: Unlike third-party firewalls (Palo Alto, Fortinet), ANFW is pay-as-you-go and scales automatically.

Real-World Scenario

You’re migrating a legacy on-prem app to AWS. The app has strict compliance requirements: all traffic must be inspected for SQL injection, malware, and unauthorized access. Your security team demands logs for every dropped packet. Security Groups and NACLs can’t do this—you need AWS Network Firewall.


2. Core Concepts & Components

Component Definition Production Insight
Firewall The main resource that defines the firewall’s behavior (rules, logging, etc.). ⚠️ One firewall per VPC (but can span multiple AZs).
Firewall Policy A collection of rule groups (stateful/stateless) that define filtering logic. Always start with a "deny-all" default action—then whitelist what’s allowed.
Rule Group (Stateful) Rules that inspect traffic bidirectionally (e.g., "Allow HTTP to app.example.com"). Use for application-layer filtering (e.g., block SQLi, malware).
Rule Group (Stateless) Rules that inspect traffic packet-by-packet (like NACLs). Use for simple port/protocol filtering (e.g., "Allow TCP 443").
Firewall Endpoint The actual ENI (Elastic Network Interface) that inspects traffic in a subnet. Deploy in a dedicated subnet (not shared with workloads).
Suricata Rules Open-source threat detection rules (e.g., "Block known C2 servers"). AWS provides managed rule groups—start with these before writing custom rules.
Logging CloudWatch Logs or S3 for storing firewall events (allowed/blocked traffic). Enable logging before deploying—otherwise, you’re flying blind.
TLS Inspection Decrypts and inspects HTTPS traffic (requires importing a CA certificate). Only use if compliance requires it—adds latency and complexity.


3. Step-by-Step: Deploy a Network Firewall in 15 Minutes


Prerequisites

✅ AWS account with admin IAM permissions (or at least NetworkFirewall:*).
✅ A VPC with at least 2 subnets (one for workloads, one for the firewall).
AWS CLI installed and configured (aws configure).


Step 1: Create a Firewall Policy

Goal: Define what traffic is allowed/blocked.


# Create a stateless rule group (allow TCP 443, deny everything else)
aws network-firewall create-rule-group \
  --rule-group-name "allow-https-stateless" \
  --type STATELESS \
  --capacity 100 \
  --rule-group '{
"RulesSource": {
"StatelessRulesAndCustomActions": {
"StatelessRules": [
{
"RuleDefinition": {
"MatchAttributes": {
"Sources": [{"AddressDefinition": "0.0.0.0/0"}],
"Destinations": [{"AddressDefinition": "0.0.0.0/0"}],
"Protocols": [6], # TCP
"DestinationPorts": [{"FromPort": 443, "ToPort": 443}]
},
"Actions": ["aws:pass"]
},
"Priority": 1
}
]
}
} }' # Create a stateful rule group (block known malicious IPs) aws network-firewall create-rule-group \ --rule-group-name "block-malicious-ips" \ --type STATEFUL \ --capacity 100 \ --rule-group '{
"RulesSource": {
"RulesString": "drop ip $EXTERNAL_NET any -> $HOME_NET any (msg:\"Block known malicious IP\"; sid:1000001; rev:1;)"
} }' # Create a firewall policy (combine rule groups) aws network-firewall create-firewall-policy \ --firewall-policy-name "prod-firewall-policy" \ --firewall-policy '{
"StatelessRuleGroupReferences": [
{"ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/allow-https-stateless"}
],
"StatefulRuleGroupReferences": [
{"ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/block-malicious-ips"}
],
"StatelessDefaultActions": ["aws:drop"],
"StatelessFragmentDefaultActions": ["aws:drop"] }'

Verification:


aws network-firewall describe-firewall-policy --firewall-policy-name "prod-firewall-policy"

(Should return your policy with both rule groups attached.)


Step 2: Deploy the Firewall

Goal: Attach the firewall to your VPC.


# Create the firewall (replace subnet IDs with your own)
aws network-firewall create-firewall \
  --firewall-name "prod-firewall" \
  --firewall-policy-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/prod-firewall-policy" \
  --vpc-id "vpc-12345678" \
  --subnet-mappings "SubnetId=subnet-12345678" "SubnetId=subnet-87654321"  # One per AZ

Verification:


aws network-firewall describe-firewall --firewall-name "prod-firewall"

(Wait for FirewallStatus.Status to become READY—takes ~5 mins.)


Step 3: Route Traffic Through the Firewall

Goal: Force all traffic to pass through the firewall.


  1. Identify the firewall endpoint ENIs:
    bash
    aws ec2 describe-network-interfaces \
    --filters "Name=description,Values=AWS Network Firewall Endpoint" \
    --query "NetworkInterfaces[*].NetworkInterfaceId" \
    --output text

    (Example output: eni-12345678 eni-87654321)

  2. Update route tables:

  3. Public subnet (NAT Gateway): Route 0.0.0.0/0 to the firewall endpoint ENI (not the IGW).
  4. Private subnet (workloads): Route 0.0.0.0/0 to the firewall endpoint ENI (not the NAT Gateway).

bash
# Example: Update private subnet route table
aws ec2 create-route \
--route-table-id "rtb-12345678" \
--destination-cidr-block "0.0.0.0/0" \
--network-interface-id "eni-12345678"

Verification:
- Launch an EC2 instance in the private subnet.
- Try to curl google.com—it should fail (because we blocked everything except HTTPS).
- Try curl https://google.com—it should work.


Step 4: Enable Logging

Goal: Send firewall logs to CloudWatch for auditing.


# Create a CloudWatch Logs group
aws logs create-log-group --log-group-name "/aws/network-firewall/prod-firewall"

# Update the firewall to enable logging
aws network-firewall update-logging-configuration \
  --firewall-arn "arn:aws:network-firewall:us-east-1:123456789012:firewall/prod-firewall" \
  --logging-configuration '{
"LogDestinationConfigs": [
{
"LogType": "ALERT",
"LogDestinationType": "CloudWatchLogs",
"LogDestination": {"logGroup": "/aws/network-firewall/prod-firewall"}
},
{
"LogType": "FLOW",
"LogDestinationType": "CloudWatchLogs",
"LogDestination": {"logGroup": "/aws/network-firewall/prod-firewall"}
}
] }'

Verification:


aws logs get-log-events --log-group-name "/aws/network-firewall/prod-firewall" --log-stream-name "alerts"

(Should show blocked/allowed traffic.)


4. ? Production-Ready Best Practices


Security

  • Least Privilege: Restrict IAM roles to only network-firewall:* and logs:*.
  • TLS Inspection: Only enable if required by compliance—it adds latency and complexity.
  • Rule Order Matters: Stateful rules are evaluated before stateless rules.
  • Managed Rule Groups: Start with AWS’s pre-built rules (e.g., "AWS-AWSManagedRulesCommonRuleSet").

Cost Optimization

  • Rule Group Capacity: Each rule group has a capacity limit (default: 100). Monitor usage with: bash aws network-firewall describe-rule-group --rule-group-arn "arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/block-malicious-ips"
  • Logging Costs: CloudWatch Logs can get expensive. Archive old logs to S3 with a lifecycle policy.

Reliability & Maintainability

  • Tag Everything: Use tags like Environment=prod, Owner=security-team.
  • Multi-AZ Deployment: Always deploy one firewall endpoint per AZ for HA.
  • Idempotency: Use CloudFormation/Terraform to avoid manual misconfigurations.

Observability

  • CloudWatch Alarms: Set up alerts for:
  • NetworkFirewall > Firewall > DroppedPackets (spikes = attacks).
  • NetworkFirewall > Firewall > PassedPackets (unexpected traffic).
  • VPC Flow Logs: Enable alongside ANFW for double-layer visibility.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not routing traffic through firewall Instances can bypass firewall rules. Double-check route tables—all traffic must go through the firewall ENI.
Default "allow-all" policy Firewall doesn’t block anything. Always set StatelessDefaultActions: ["aws:drop"].
Forgetting logging No visibility into blocked traffic. Enable logging before deploying (CloudWatch or S3).
Single-AZ deployment Firewall fails if AZ goes down. Deploy one endpoint per AZ (even if it costs more).
Overly permissive rules Firewall allows too much traffic. Start with "deny-all", then whitelist (not the other way around).


6. ? Exam/Certification Focus


Typical Question Patterns

  1. "Which service provides stateful, VPC-level traffic inspection?"
  2. AWS Network Firewall
  3. ❌ Security Groups (instance-level)
  4. ❌ NACLs (stateless, subnet-level)

  5. "You need to block SQL injection attacks at the VPC level. Which service?"

  6. AWS Network Firewall (stateful rule groups)
  7. ❌ WAF (only for ALB/CloudFront/API Gateway)

  8. "How do you ensure all traffic passes through the firewall?"

  9. Update route tables to send 0.0.0.0/0 to the firewall ENI.
  10. ❌ "Just deploy the firewall" (traffic won’t flow through it automatically).

Key ⚠️ Trap Distinctions

Concept AWS Network Firewall Security Groups NACLs
Layer 3–7 (stateful) 3–4 (stateful) 3–4 (stateless)
Scope VPC-wide Instance-level Subnet-level
Default Action Configurable (usually "deny-all") "Deny-all" "Allow-all"
Deep Packet Inspection ✅ Yes (Suricata rules) ❌ No ❌ No


7. ? Hands-On Challenge

Challenge:
Deploy a Network Firewall that blocks all outbound traffic except HTTPS (TCP 443) to google.com. Test it by launching an EC2 instance and trying to curl different domains.

Solution:
1. Create a stateful rule group with:
json
{
"RulesSource": {
"RulesString": "pass tcp any any -> 142.250.190.46 443 (msg:\"Allow HTTPS to Google\"; sid:1000002; rev:1;)"
}
}

(Replace 142.250.190.46 with Google’s IP—find it via dig google.com.)


  1. Attach it to your firewall policy.

  2. Test:
    bash
    curl https://google.com # Should work
    curl http://example.com # Should fail

Why It Works:
- The rule explicitly allows HTTPS to Google’s IP.
- The default action is "deny-all", so everything else is blocked.


8. ? Rapid-Reference Crib Sheet

Command/Concept Key Details
aws network-firewall create-firewall Deploys the firewall in a VPC. ⚠️ Takes ~5 mins to become READY.
aws network-firewall create-rule-group Define stateless (STATELESS) or stateful (STATEFUL) rules.
Default Action ⚠️ Always set StatelessDefaultActions: ["aws:drop"] (deny-all by default).
Logging CloudWatch Logs (ALERT = blocked traffic, FLOW = all traffic).
TLS Inspection Requires importing a CA certificate (adds latency).
Managed Rule Groups Start with AWS-AWSManagedRulesCommonRuleSet (blocks SQLi, XSS, etc.).
Capacity Each rule group has a capacity limit (default: 100). Monitor usage!
Multi-AZ ⚠️ Deploy one endpoint per AZ (or risk downtime).


9. ? Where to Go Next

  1. AWS Network Firewall Docs – Official guide.
  2. AWS Managed Rule Groups – Pre-built threat protection.
  3. Suricata Rules Guide – Write custom rules.
  4. AWS Network Firewall Workshop – Hands-on lab.

Final Pro Tip

"AWS Network Firewall is like a bouncer at a nightclub—it doesn’t just check IDs (ports/protocols), it also scans for weapons (malware, SQLi). But if you don’t route traffic through it, it’s just an expensive decoration."

Now go deploy one! ?



ADVERTISEMENT