Sample CloudFormation templates demonstrating AWS Network Firewall routing architectures and deployment models.
Looking for Terraform? These same architectures are available as Terraform templates: aws-network-firewall-terraform
Uses AWS Transit Gateway for centralized inspection of East-West (VPC-to-VPC) and egress (internet-bound) traffic.
Attaches AWS Network Firewall directly to Transit Gateway as a native attachment. AWS creates and manages the inspection VPC transparently, removing the need to create and manage your own.
Note: Transit Gateway-Attached Firewall is required to use Transit Gateway Flexible Cost Allocation for chargebacks. The other centralized deployment models in this repository do not support this feature.
| Template | Use Case |
|---|---|
| Manual Deployment | Learning and hands-on configuration |
| Pre-Deployed | Automated provisioning |
Routes traffic through a dedicated inspection VPC containing the firewall endpoints.
| Template | Use Case |
|---|---|
| Single AZ | Single availability zone |
| Two AZ | High availability across two AZs |
Deploys AWS Network Firewall into each VPC individually. No Transit Gateway required—each VPC is protected independently.
Leverages the VPC Endpoint Association feature to deploy multiple firewall endpoints per availability zone to maintain source IP visibility when inspecting both ingress and egress traffic with the same firewall.
Single firewall endpoint per availability zone with options for combined or separate ingress/egress inspection.
| Configuration | Single AZ | Two AZ |
|---|---|---|
| Combined Ingress/Egress Firewall | Template | Template |
| Separate Ingress/Egress Firewalls | Template | Template |
Workshop-based templates for deploying egress inspection using AWS Cloud WAN and AWS Network Firewall across multiple regions.
CloudFormation templates for creating a comprehensive monitoring dashboard for AWS Network Firewall metrics and logs.
| Template | Region |
|---|---|
| Standard | Commercial regions |
| GovCloud | AWS GovCloud |
| China | AWS China regions |
This sample code is made available under the MIT-0 license. See the LICENSE file.
- AWS Network Firewall Best Practices Guide
- Deployment Models for AWS Network Firewall
- Deployment Models for AWS Network Firewall - Part 2
| Name | |
|---|---|
| Lawton Pittenger, WW Security Specialist Solutions Architect | lawtontp@amazon.com |
| Anvesh Koganti, Networking Specialist Solutions Architect | anvkog@amazon.com |
| Pratik R. Mankad, Sr. Solutions Architect | pmankad@amazon.com |
| Shakeel Ahmad, Sr. Solutions Architect | shkahma@amazon.com |
| Daniel Yu, Sr. Technical Account Manager | dyuamzn@amazon.com |