AWS Network Firewall configuration Using this guidance with AWS Transit Gateway Amazon CloudWatch Amazon Simple Storage Service

Architecture details

This section describes the components and AWS services that make up this guidance and the architecture details on how these components work together.

AWS Network Firewall configuration

This guidance deploys with a default network firewall policy, which doesn't disrupt your existing network. This allows you to design and deploy custom network firewall policies, as well as stateful and stateless rule groups. This also includes existing Suricata stateful rules. For more information about Suricata, refer to the Working with stateful rule groups in AWS Network Firewall in the AWS Network Firewall Developer Guide.

Note

You can also use Firewall Manager to centrally configure and manage firewall rules for this guidance.

Using this guidance with AWS Transit Gateway

Note

To create transit gateways and manage VPCs and peering attachments, we recommend using the Network Orchestration for AWS Transit Gateway guidance. You can use both guidance for the same transit gateway resource.

With an existing transit gateway

This guidance works with your existing transit gateway to create a VPC transit gateway attachment if you provide the transit gateway ID. The guidance also creates association and propagation to the existing transit gateway route tables if you provide the route table ID and transit gateway ID. For details, refer to Step 2: Launch the stack.

Without an existing transit gateway

You can deploy this guidance without a transit gateway to test it before making any network changes. If you don't provide a transit gateway ID, this guidance won't create the transit gateway to VPC attachment. This ensures that your network engineers can customize the Network Firewall configuration and update the firewall policies before making network changes.

Amazon CloudWatch

If you select CloudWatchLogs for the Select the type of log destination for the Network Firewall parameter when you launch the stack, this guidance creates a log group for your logs. Your alert and flow logs collect log records and consolidate them into log files. For more information, refer to the AWS Network Firewall Developer Guide.

Amazon Simple Storage Service

The guidance creates the following Amazon Simple Storage Service (Amazon S3) buckets:

Source code bucket – This bucket hosts versions of the source code used by the AWS CodeBuild stage to validate and deploy Network Firewall resources and update related resources.
CodePipeline artifacts bucket – This bucket stores input and output artifacts created by the CodePipeline stages. CodePipeline zips and transfers the files for input or output artifacts as appropriate for the action type in the stage.
(Optional) Network Firewall log destination bucket – This bucket stores the guidance's logs. This S3 bucket is only created if you select Amazon S3 for the Select the type of log destination for the Network Firewall parameter when you launch the stack.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture overview

AWS services in this guidance