networkfirewall function

AWS Network Firewall

This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.

The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see Amazon Web Services APIs.

To view the complete list of Amazon Web Services Regions where Network Firewall is available, see Service endpoints and quotas

in the Amazon Web Services General Reference.

To access Network Firewall using the IPv4 REST API endpoint: https://network-firewall.<region>.amazonaws.com

To access Network Firewall using the Dualstack (IPv4 and IPv6) REST API endpoint: https://network-firewall.<region>.aws.api

Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.

For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the Network Firewall Developer Guide.

Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 7.0.3. For information about Suricata, see the Suricata website and the Suricata User Guide.

You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:

• Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.
• Use custom lists of known bad domains to limit the types of domain names that your applications can access.
• Perform deep packet inspection on traffic entering or leaving your VPC.
• Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.

To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see Amazon VPC User Guide.

To start using Network Firewall, do the following:

1. (Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.
2. In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.
3. In Network Firewall, create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.
4. In Network Firewall, create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.
5. In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.
6. In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.

networkfirewall(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Arguments

• config: Optional configuration of credentials, endpoint, and/or region.

  • credentials :

    • creds :

      • access_key_id : AWS access key ID
      • secret_access_key : AWS secret access key
      • session_token : AWS temporary session token

    • profile : The name of a profile to use. If not given, then the default profile is used.

    • anonymous : Set anonymous credentials.

  • endpoint : The complete URL to use for the constructed client.

  • region : The AWS Region used in instantiating the client.

  • close_connection : Immediately close all HTTP connections.

  • timeout : The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

  • s3_force_path_style : Set this to true to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY.

  • sts_regional_endpoint : Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

• credentials: Optional credentials shorthand for the config parameter

  • creds :

    • access_key_id : AWS access key ID
    • secret_access_key : AWS secret access key
    • session_token : AWS temporary session token

  • profile : The name of a profile to use. If not given, then the default profile is used.

  • anonymous : Set anonymous credentials.

• endpoint: Optional shorthand for complete URL to use for the constructed client.

• region: Optional shorthand for AWS Region used in instantiating the client.

Returns

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Service syntax

svc <- networkfirewall(
  config = list(
    credentials = list(
 creds = list(
   access_key_id = "string",
   secret_access_key = "string",
   session_token = "string"
 ),
 profile = "string",
 anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
 access_key_id = "string",
 secret_access_key = "string",
 session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

associate_firewall_policy	Associates a FirewallPolicy to a Firewall
associate_subnets	Associates the specified subnets in the Amazon VPC to the firewall
create_firewall	Creates an Network Firewall Firewall and accompanying FirewallStatus for a VPC
create_firewall_policy	Creates the firewall policy for the firewall according to the specifications
create_rule_group	Creates the specified stateless or stateful rule group, which includes the rules for network traffic inspection, a capacity setting, and tags
create_tls_inspection_configuration	Creates an Network Firewall TLS inspection configuration
delete_firewall	Deletes the specified Firewall and its FirewallStatus
delete_firewall_policy	Deletes the specified FirewallPolicy
delete_resource_policy	Deletes a resource policy that you created in a PutResourcePolicy request
delete_rule_group	Deletes the specified RuleGroup
delete_tls_inspection_configuration	Deletes the specified TLSInspectionConfiguration
describe_firewall	Returns the data objects for the specified firewall
describe_firewall_policy	Returns the data objects for the specified firewall policy
describe_logging_configuration	Returns the logging configuration for the specified firewall
describe_resource_policy	Retrieves a resource policy that you created in a PutResourcePolicy request
describe_rule_group	Returns the data objects for the specified rule group
describe_rule_group_metadata	High-level information about a rule group, returned by operations like create and describe
describe_tls_inspection_configuration	Returns the data objects for the specified TLS inspection configuration
disassociate_subnets	Removes the specified subnet associations from the firewall
get_analysis_report_results	The results of a COMPLETED analysis report generated with StartAnalysisReport
list_analysis_reports	Returns a list of all traffic analysis reports generated within the last 30 days
list_firewall_policies	Retrieves the metadata for the firewall policies that you have defined
list_firewalls	Retrieves the metadata for the firewalls that you have defined
list_rule_groups	Retrieves the metadata for the rule groups that you have defined
list_tags_for_resource	Retrieves the tags associated with the specified resource
list_tls_inspection_configurations	Retrieves the metadata for the TLS inspection configurations that you have defined
put_resource_policy	Creates or updates an IAM policy for your rule group or firewall policy
start_analysis_report	Generates a traffic analysis report for the timeframe and traffic type you specify
tag_resource	Adds the specified tags to the specified resource
untag_resource	Removes the tags with the specified keys from the specified resource
update_firewall_analysis_settings	Enables specific types of firewall analysis on a specific firewall you define
update_firewall_delete_protection	Modifies the flag, DeleteProtection, which indicates whether it is possible to delete the firewall
update_firewall_description	Modifies the description for the specified firewall
update_firewall_encryption_configuration	A complex type that contains settings for encryption of your firewall resources
update_firewall_policy	Updates the properties of the specified firewall policy
update_firewall_policy_change_protection	Modifies the flag, ChangeProtection, which indicates whether it is possible to change the firewall
update_logging_configuration	Sets the logging configuration for the specified firewall
update_rule_group	Updates the rule settings for the specified rule group
update_subnet_change_protection	Update subnet change protection
update_tls_inspection_configuration	Updates the TLS inspection configuration settings for the specified TLS inspection configuration

Examples

## Not run:

svc <- networkfirewall()
svc$associate_firewall_policy(
  Foo = 123
)
## End(Not run)