Quick Take — AWS Network Firewall
Amazon recently announced the release of a network firewall service. This gives organizations a cheap and easy stateful based firewall that sits in front of a VPC and has high availability and auto scalability built in.
This service offering ties into the AWS Firewall Manager, allowing for centralized rule management and oversight.
Some of the features of the network firewall offering include: stateful packet filtering, URL Filtering (SNI for HTTPS), IPS/IDS, built-in alert capabilities and integrations with other vendors.
What this solves
For a long time if you needed some form of firewall in a VPC you either needed to leverage a third-party vendor or cope with the security groups offering. This added a higher level of complication to an otherwise simple deployment. In addition, many could argue that because of the added complication and cost, many organizations skipped out on properly securing infrastructure.
The AWS network firewall solves these problems. The biggest key here is that it is native. I could go through a list of problems that I encountered while integrating a third-party firewall solution into an AWS environment. The AWS network firewall offering removes this added administration and licensing cost while adding built-in high availability and other cool features.
The most typical reason an organization purchases third party solutions for AWS is to satisfy compliance requirements. The AWS Network Firewall would most likely check a majority these compliance boxes.
What this does not solve
While this is a great solution, there are a few limitations. I listed the most notable below and explain why these may be potential barriers.
- TLS inspection
- Application control
- File type blocking
- Remote access VPN
While you may look at this list and argue that these do not necessarily fall under a “Network Firewall” solution, the items listed are common features of third-party products on the market today. If any of these were a requirement, an organization may choose to just pay a vendor for one complete solution rather than having to manage the AWS network firewall on top of an inline solution providing these 4 feature sets.
