Creating a firewall in AWS Network Firewall

You can create a firewall in Network Firewall to start using the protections you've defined in a firewall policy to protect a VPC.

There are two ways you can create a firewall:

Create a VPC-attached firewall to protect a VPC
Create a transit gateway-attached firewall to enable centralized network inspection

Note

To create a transit gateway-attached firewall, you can accept a transit gateway that has been shared with you through AWS RAM or a transit gateway that you own.

Important

Before you begin, make sure your VPC has at least one subnet that can host a firewall endpoint. The subnet must be dedicated to Network Firewall use and cannot be used for other resources. For information about subnet requirements and configuration, see VPC subnets.

To create a firewall through the console

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, under Network Firewall, choose Firewalls.
Choose Create firewall.
Enter a Name to identify this firewall.

Note
You can't change the name after you create the firewall.
(Optional) Enter a Description for the firewall to help you identify it among your other resources.
Choose Next.
Choose your VPC from the dropdown list.

Note
You can't change the VPC after you create the firewall.
For Firewall subnets, choose the Availability Zones and subnets that you want to use for your primary firewall endpoints. You can choose up to one subnet for each Availability Zone that your VPC spans, and you must specify a subnet in any Availability Zone where you want to create endpoints using VPC endpoint associations.

The subnets that you specify should be dedicated for Network Firewall firewall use. For more information, see VPC subnets.
Choose Next.
For Attachment type, choose either:
- VPC - Create a firewall in subnets in a VPC
- Transit Gateway - Create a firewall that automatically provisions networking components
Based on your attachment type selection:
1. If you selected VPC:
  1. Choose your VPC from the dropdown list.
    
    Note
    You can't change the VPC after you create the firewall.
  2. For Firewall subnets, choose the Availability Zones and subnets that you want to use for your firewall endpoints.
2. If you selected Transit Gateway:
  1. For Transit Gateway, choose an existing transit gateway from the dropdown list. The list includes:
    - Any transit gateway attachment in your account (marked as "this account")
    - AWS Transit Gateways shared with you from other accounts (showing the owner account ID)
    Note
    If you need to create a new transit gateway, open the Transit Gateway console in a new tab. After creating the transit gateway, return to this page and refresh the Transit Gateway selector.
  2. For Availability Zones, select the Availability Zones for your firewall. Consider:
    - To maintain Availability Zone isolation, enable the firewall in every Availability Zone where you have workloads
    - You must select at least one Availability Zone
    - You can modify Availability Zones later, but this may briefly disrupt traffic
(Optional) Under Protection against changes, optionally enable Deletion protection and Subnet change protection to protect your firewall against accidental changes.
(Optional) Under Customer managed key, optionally toggle Customize encryption settings to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see Encryption at rest with AWS Key Management Service.
Choose Next.

(Optional) Under Traffic analysis mode optionally select Enable traffic analysis mode to enable access to HTTP and HTTPS traffic reporting.

Note
Enabling traffic analysis mode does not automatically generate a report when you finish creating your firewall. See Reporting on network traffic in Network Firewall for more information on report generation.

Important
Network Firewall only starts collecting traffic analysis metrics when you enable Traffic analysis mode on your firewall. Traffic observed before you enable Traffic analysis mode is not included in reporting.
For the Associate firewall policy section, choose the firewall policy that you want to associate with the firewall.
Choose Create firewall.

Next steps

After you create your firewall, it appears in the Firewalls page. As the firewall owner, you have full control over its configuration and management.

Complete these tasks to start using your firewall:

Required: Configure your firewall policy to define how traffic is filtered. For information, see Firewall policies in AWS Network Firewall.
Required: Configure your VPC route tables to direct traffic through your firewall endpoints. For information, see VPC route table configuration for AWS Network Firewall.

You can also enhance your firewall's capabilities with these optional tasks:

Set up logging to monitor network traffic through your firewall. For information, see Logging network traffic from AWS Network Firewall.
Create VPC endpoint associations to extend your firewall's protection to additional VPCs or to create multiple endpoints in a single Availability Zone. For information, see Creating a VPC endpoint association.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing a firewall and firewall endpoints

Creating a VPC endpoint association