AWSGlossary

AWS Network Firewall: What It Is and When toUse It

Definition

AWS Network Firewall is a stateful, managed network firewall and intrusion detection and prevention service (IDS/IPS) for your Amazon Virtual Private Clouds (VPCs). It provides fine-grained control to filter traffic at the perimeter of your VPC, covering layers 3 through 7 of the OSI model, to protect against common network threats.

How It Works

AWS Network Firewall operates by deploying highly available, auto-scaling firewall endpoints into dedicated subnets within your VPC. To inspect traffic, you modify your VPC route tables to direct traffic—from sources like an Internet Gateway, NAT Gateway, AWS Direct Connect, or VPN—through these firewall endpoints.

The architecture consists of three main components:

  • Firewall: The core resource that connects the inspection logic to a specific VPC. You create a firewall and specify a dedicated subnet in each Availability Zone (AZ) you want to protect. The firewall automatically creates and manages endpoints in these subnets.
  • Firewall Policy: A container for the rules and settings that define how the firewall inspects traffic. It specifies the rule groups to use and the default actions for packets that don't match any rules.
  • Rule Groups: These are collections of criteria for inspecting and handling network traffic. They come in two types:
    • Stateless: These rules inspect individual packets in isolation, similar to Network Access Control Lists (NACLs). They are best for high-speed, straightforward filtering, like blocking known malicious IP addresses.
    • Stateful: These rules inspect packets in the context of their traffic flow. The service uses the open-source Suricata engine, allowing for deep packet inspection (DPI), intrusion prevention (IPS), and filtering by domain name (FQDN). You can write your own Suricata-compatible rules or use managed rule sets from AWS and its partners.

Traffic flows from a source subnet to the firewall endpoint, where it is inspected first by the stateless engine and then by the stateful engine. Based on the rules, traffic is either dropped, alerted on, or forwarded to its destination.

Key Features and Limits

Key Features

  • Stateful and Stateless Inspection: Combines the speed of stateless rules with the contextual awareness of stateful deep packet inspection.
  • Intrusion Prevention System (IPS): Utilizes the Suricata rule engine to provide active threat detection and prevention against vulnerabilities, exploits, and other malicious traffic.
  • Web and Domain Filtering: Filter outbound traffic based on Fully Qualified Domain Names (FQDN) and block access to known malicious domains.
  • TLS Inspection: Network Firewall can decrypt, inspect, and re-encrypt TLS traffic for both ingress and egress connections, providing visibility into encrypted communications.
  • Centralized Management: Integrates with AWS Firewall Manager to centrally configure and enforce firewall policies across multiple accounts and VPCs within an AWS Organization.
  • Managed Service: AWS handles the underlying infrastructure, including scaling, patching, and high availability, with a 99.99% SLA.
  • Transit Gateway Integration: Natively integrates with AWS Transit Gateway, simplifying the architecture for centralized inspection of traffic between VPCs and on-premises networks.

Service Limits (as of 2026)

  • Firewalls per Region: 5 (Adjustable)
  • Firewall Policies per Region: 20 (Adjustable)
  • Stateful Rules per Policy: Default is 30,000, but this is adjustable up to 50,000.
  • Stateful Rule Groups per Policy: 20 (Fixed)
  • Throughput: Scales automatically up to 100 Gbps per firewall endpoint.

Users can request increases for adjustable quotas via the AWS Service Quotas console.

Common Use Cases

  • Centralized Egress Filtering: Use a central "inspection VPC" with Network Firewall and Transit Gateway to filter all outbound internet traffic from multiple spoke VPCs, enforcing policies like allowing access only to specific domains.
  • Inbound Traffic Inspection: Protect public-facing applications by filtering all inbound internet traffic from an Internet Gateway before it reaches your application subnets.
  • East-West (VPC-to-VPC) Traffic Inspection: Inspect traffic flowing between different VPCs (e.g., between development and production environments) that are connected via a Transit Gateway.
  • On-Premises Traffic Filtering: Inspect traffic coming into or going out of your AWS environment from on-premises data centers via AWS Direct Connect or a VPN connection.
  • Compliance and Threat Prevention: Meet regulatory compliance requirements (like PCI-DSS) for an IDS/IPS and use managed threat signatures to automatically block known malware, botnets, and other threats.

Pricing Model

AWS Network Firewall pricing is based on a pay-as-you-go model with two primary components:

  1. Hourly Charge: You are billed for each hour that a firewall endpoint is provisioned, per Availability Zone.
  2. Data Processing Charge: You are billed per gigabyte of traffic processed by the firewall, regardless of the source or destination.

Recent pricing updates in early 2026 removed additional data processing charges for TLS inspection. Additionally, when a NAT Gateway is placed in the same path as a Network Firewall endpoint, the standard NAT Gateway hourly and data processing charges are waived on a one-to-one basis, which can lead to significant cost savings.

For detailed pricing, always consult the official AWS Network Firewall Pricing page and the AWS Pricing Calculator.

Pros and Cons

Pros

  • Fully Managed: No infrastructure to manage, patch, or scale. AWS handles high availability and scaling automatically.
  • Powerful Inspection: Supports industry-standard Suricata rules for advanced IDS/IPS capabilities and deep packet inspection.
  • Centralized Enforcement: Easily apply consistent security policies across hundreds of VPCs and accounts using AWS Firewall Manager and Transit Gateway.
  • Deep Integration: Works seamlessly with other AWS services like VPC Flow Logs, CloudWatch, and Amazon S3 for logging and monitoring.

Cons

  • Cost: The per-hour and per-GB pricing can become significant for high-throughput workloads compared to the free, basic filtering of Security Groups and NACLs.
  • Complexity: Initial setup requires careful planning of VPC routing. Misconfigured routes can lead to asymmetric routing and dropped packets.
  • Latency: As an inline inspection service, it adds a network hop, which can introduce minor latency compared to services that are not in the direct traffic path.

Comparison with Alternatives

| Service | OSI Layer | Scope | Key Feature | Use Case | | :--- | :--- | :--- | :--- | :--- | | AWS Network Firewall | Layers 3-7 | VPC Perimeter | Managed IDS/IPS, domain filtering, TLS inspection. | VPC-wide network protection, centralized egress/ingress filtering, threat prevention. | | Security Groups | Layers 3-4 | Elastic Network Interface (ENI) | Stateful, allow-only rules for instances. | Primary firewall for controlling access to individual EC2 instances. | | Network ACLs (NACLs) | Layers 3-4 | Subnet | Stateless, allow and deny rules for subnets. | A secondary, stateless defense layer for subnets; blocking specific IP addresses. | | AWS WAF | Layer 7 (HTTP/S) | ALB, API Gateway, CloudFront | Protects against web exploits like SQL injection, XSS. | Protecting web applications and APIs from common application-layer attacks. | | Marketplace Appliances | Layers 3-7 | EC2 Instance | Features from third-party vendors (Palo Alto, Fortinet, etc.). | Lift-and-shift of existing on-premises firewall solutions; specific vendor features. |

In short, use all of them for defense-in-depth. Security Groups and NACLs are fundamental. Use Network Firewall for VPC-level IDS/IPS and advanced network filtering, and use AWS WAF specifically for protecting web applications.

Exam Relevance

AWS Network Firewall is a critical topic for several AWS certifications, particularly those focused on security and networking.

  • AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions on its architecture, rule configuration (stateful vs. stateless), integration with Firewall Manager, and its role in a defense-in-depth strategy.
  • AWS Certified Advanced Networking - Specialty (ANS-C01): Questions will likely focus on complex routing scenarios, integration with Transit Gateway for centralized inspection, performance, and high-availability designs.
  • AWS Certified Solutions Architect - Professional (SAP-C02): You may see questions requiring you to design secure, multi-VPC architectures where Network Firewall is the appropriate choice for centralized traffic filtering and threat prevention.

For exams, you must know how Network Firewall differs from Security Groups, NACLs, and WAF, and understand the common architectural patterns for its deployment.

Frequently Asked Questions

Q: What is the difference between AWS Network Firewall and AWS WAF?

A: AWS Network Firewall operates at the network and transport layers (Layers 3-7) to protect your entire VPC from threats like malware and botnets by inspecting all traffic types. AWS WAF is a web application firewall that operates at the application layer (Layer 7) to protect your web applications from common exploits like SQL injection and cross-site scripting (XSS) by inspecting only HTTP/S traffic.

Q: Do I still need Security Groups and NACLs if I use AWS Network Firewall?

A: Yes. AWS recommends a defense-in-depth strategy. Network Firewall provides VPC-level perimeter defense, while Security Groups act as a stateful host-level firewall for your instances, and NACLs provide a stateless firewall at the subnet level. They work together to provide layered security.

Q: How do I centralize traffic inspection for many VPCs with AWS Network Firewall?

A: The recommended pattern is to use AWS Transit Gateway. You create a central "inspection VPC" where the Network Firewall endpoints are deployed. You then configure the Transit Gateway route tables to send all traffic from your "spoke" VPCs through the inspection VPC for filtering before it goes to the internet or to another VPC. Recent enhancements allow for a native Transit Gateway attachment, simplifying this architecture.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/17/2026 / Updated: 5/28/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

ELB vs CloudFront: How It Works & When to Use It

ELB distributes traffic regionally to EC2 instances, while CloudFront is a global CDN. Learn the key differences and when to use each service.

Route 53 Resolver: How It Works & When to Use It

Amazon Route 53 Resolver is a recursive DNS service in every VPC. It enables DNS resolution between on-premises and AWS. Learn its use cases.

AWS App Mesh: What It Is & When to Use It

AWS App Mesh is a managed service mesh for microservices. Learn about its features, end-of-life notice, and migration alternatives like VPC Lattice.

AWS Cloud Map: Resource Discovery for Microservices

AWS Cloud Map is a managed service for discovering cloud resources. Learn how it tracks dynamic microservice locations to improve availability. See use cases.

API Gateway Throttling: How It Works & When to Use It

Amazon API Gateway throttling limits API request rates to protect backend services. Learn how it works with the token bucket algorithm and when to implement it. See examples.

View all Networking terms →