This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::NetworkFirewall::Firewall Use the firewall to provide stateful, managed, network firewall and intrusion detection and prevention filtering for your VPCs in Amazon VPC. The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::NetworkFirewall::Firewall", "Properties" : { "[AvailabilityZoneChangeProtection](#cfn-networkfirewall-firewall-availabilityzonechangeprotection)" : Boolean, "[AvailabilityZoneMappings](#cfn-networkfirewall-firewall-availabilityzonemappings)" : [ AvailabilityZoneMapping, ... ], "[DeleteProtection](#cfn-networkfirewall-firewall-deleteprotection)" : Boolean, "[Description](#cfn-networkfirewall-firewall-description)" : String, "[EnabledAnalysisTypes](#cfn-networkfirewall-firewall-enabledanalysistypes)" : [ String, ... ], "[FirewallName](#cfn-networkfirewall-firewall-firewallname)" : String, "[FirewallPolicyArn](#cfn-networkfirewall-firewall-firewallpolicyarn)" : String, "[FirewallPolicyChangeProtection](#cfn-networkfirewall-firewall-firewallpolicychangeprotection)" : Boolean, "[SubnetChangeProtection](#cfn-networkfirewall-firewall-subnetchangeprotection)" : Boolean, "[SubnetMappings](#cfn-networkfirewall-firewall-subnetmappings)" : [ SubnetMapping, ... ], "[Tags](#cfn-networkfirewall-firewall-tags)" : [ Tag, ... ], "[TransitGatewayId](#cfn-networkfirewall-firewall-transitgatewayid)" : String, "[VpcId](#cfn-networkfirewall-firewall-vpcid)" : String } } ``` ### YAML ``` Type: AWS::NetworkFirewall::Firewall Properties: [AvailabilityZoneChangeProtection](#cfn-networkfirewall-firewall-availabilityzonechangeprotection): Boolean [AvailabilityZoneMappings](#cfn-networkfirewall-firewall-availabilityzonemappings): - AvailabilityZoneMapping [DeleteProtection](#cfn-networkfirewall-firewall-deleteprotection): Boolean [Description](#cfn-networkfirewall-firewall-description): String [EnabledAnalysisTypes](#cfn-networkfirewall-firewall-enabledanalysistypes): - String [FirewallName](#cfn-networkfirewall-firewall-firewallname): String [FirewallPolicyArn](#cfn-networkfirewall-firewall-firewallpolicyarn): String [FirewallPolicyChangeProtection](#cfn-networkfirewall-firewall-firewallpolicychangeprotection): Boolean [SubnetChangeProtection](#cfn-networkfirewall-firewall-subnetchangeprotection): Boolean [SubnetMappings](#cfn-networkfirewall-firewall-subnetmappings): - SubnetMapping [Tags](#cfn-networkfirewall-firewall-tags): - Tag [TransitGatewayId](#cfn-networkfirewall-firewall-transitgatewayid): String [VpcId](#cfn-networkfirewall-firewall-vpcid): String ``` ## Properties `AvailabilityZoneChangeProtection` A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to `TRUE`, you must first disable this protection before adding or removing Availability Zones. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AvailabilityZoneMappings` The Availability Zones where the firewall endpoints are created for a transit gateway-attached firewall. Each mapping specifies an Availability Zone where the firewall processes traffic. *Required*: No *Type*: Array of [AvailabilityZoneMapping](aws-properties-networkfirewall-firewall-availabilityzonemapping.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DeleteProtection` A flag indicating whether it is possible to delete the firewall. A setting of `TRUE` indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to `TRUE`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the firewall. *Required*: No *Type*: String *Pattern*: `^.*$` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnabledAnalysisTypes` An optional setting indicating the specific traffic analysis types to enable on the firewall. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FirewallName` The descriptive name of the firewall. You can't change the name of a firewall after you create it. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9-]+$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `FirewallPolicyArn` The Amazon Resource Name (ARN) of the firewall policy. The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls. *Required*: Yes *Type*: String *Pattern*: `^arn:aws.*$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FirewallPolicyChangeProtection` A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to `TRUE`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubnetChangeProtection` A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to `TRUE`. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubnetMappings` The primary public subnets that Network Firewall is using for the firewall. Network Firewall creates a firewall endpoint in each subnet. Create a subnet mapping for each Availability Zone where you want to use the firewall. These subnets are all defined for a single, primary VPC, and each must belong to a different Availability Zone. Each of these subnets establishes the availability of the firewall in its Availability Zone. In addition to these subnets, you can define other endpoints for the firewall in `VpcEndpointAssociation` resources. You can define these additional endpoints for any VPC, and for any of the Availability Zones where the firewall resource already has a subnet mapping. VPC endpoint associations give you the ability to protect multiple VPCs using a single firewall, and to define multiple firewall endpoints for a VPC in a single Availability Zone. *Required*: No *Type*: Array of [SubnetMapping](aws-properties-networkfirewall-firewall-subnetmapping.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of key-value pairs to apply to this resource. For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). *Required*: No *Type*: Array of [Tag](aws-properties-networkfirewall-firewall-tag.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TransitGatewayId` The unique identifier of the transit gateway associated with this firewall. This field is only present for transit gateway-attached firewalls. *Required*: No *Type*: String *Pattern*: `^tgw-[0-9a-z]+$` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VpcId` The unique identifier of the VPC where the firewall is in use. You can't change the VPC of a firewall after you create the firewall. *Required*: No *Type*: String *Pattern*: `^vpc-[0-9a-f]+$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the Amazon Resource Name (ARN) of the firewall. For example: `{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:firewall/myFirewallName" }` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `EndpointIds` The unique IDs of the firewall endpoints for all of the subnets that you attached to the firewall. The subnets are not listed in any particular order. For example: `["us-west-2c:vpce-111122223333", "us-west-2a:vpce-987654321098", "us-west-2b:vpce-012345678901"]`. `FirewallArn` The Amazon Resource Name (ARN) of the firewall. `FirewallId` The name of the firewallresource. `TransitGatewayAttachmentId` The unique identifier of the transit gateway attachment associated with this firewall. This field is only present for transit gateway-attached firewalls. ## Examples ### Create a firewall The following shows example firewall specifications. #### JSON ``` "SampleFirewall": { "Type": "AWS::NetworkFirewall::Firewall", "Properties": { "FirewallName": "SampleFirewallName", "FirewallPolicyArn": { "Ref": "SampleFirewallPolicy" }, "VpcId": { "Ref": "SampleVPC" }, "SubnetMappings": [ { "SubnetId": { "Ref": "SampleSubnet1" } }, { "SubnetId": { "Ref": "SampleSubnet2" } } ], "Description": "Firewall description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } ``` #### YAML ``` SampleFirewall: Type: AWS::NetworkFirewall::Firewall Properties: FirewallName: SampleFirewallName FirewallPolicyArn: !Ref SampleFirewallPolicy VpcId: !Ref SampleVPC SubnetMappings: - SubnetId: !Ref SampleSubnet1 - SubnetId: !Ref SampleSubnet2 Description: Firewall description goes here Tags: - Key: Foo Value: Bar ``` # AWS::NetworkFirewall::Firewall AvailabilityZoneMapping Defines the mapping between an Availability Zone and a firewall endpoint for a transit gateway-attached firewall. Each mapping represents where the firewall can process traffic. You use these mappings when calling `CreateFirewall`, `AssociateAvailabilityZones`, and `DisassociateAvailabilityZones`. To retrieve the current Availability Zone mappings for a firewall, use `DescribeFirewall`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AvailabilityZone](#cfn-networkfirewall-firewall-availabilityzonemapping-availabilityzone)" : String } ``` ### YAML ``` [AvailabilityZone](#cfn-networkfirewall-firewall-availabilityzonemapping-availabilityzone): String ``` ## Properties `AvailabilityZone` The ID of the Availability Zone where the firewall endpoint is located. For example, `us-east-2a`. The Availability Zone must be in the same Region as the transit gateway. *Required*: Yes *Type*: String *Pattern*: `\S+` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::Firewall SubnetMapping The ID for a subnet that you want to associate with the firewall. AWS Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[IPAddressType](#cfn-networkfirewall-firewall-subnetmapping-ipaddresstype)" : String, "[SubnetId](#cfn-networkfirewall-firewall-subnetmapping-subnetid)" : String } ``` ### YAML ``` [IPAddressType](#cfn-networkfirewall-firewall-subnetmapping-ipaddresstype): String [SubnetId](#cfn-networkfirewall-firewall-subnetmapping-subnetid): String ``` ## Properties `IPAddressType` The subnet's IP address type. You can't change the IP address type after you create the subnet. *Required*: No *Type*: String *Allowed values*: `DUALSTACK | IPV4 | IPV6` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SubnetId` The unique identifier for the subnet. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::NetworkFirewall::Firewall Tag A key:value pair associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-networkfirewall-firewall-tag-key)" : String, "[Value](#cfn-networkfirewall-firewall-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-networkfirewall-firewall-tag-key): String [Value](#cfn-networkfirewall-firewall-tag-value): String ``` ## Properties `Key` The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive. *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)