Implementing AWS Network Firewall

1 hour
  • 6 Learning Objectives

About this Hands-on Lab

In this lab, we will be deploying AWS Network Firewall to a VPC and then configuring the environment to allow an EC2 instance access to a web page on the internet. To complete this lab, you must be familiar with the AWS Management Console and understand what the AWS Network Firewall is and the capabilities it has to offer.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create Firewall Subnet in VPC

In this objective, we will create a new subnet for the Network Firewall and associate it with the firewall route table created as part of this lab.

Subnet Creation

Subnet name = FirewallSubnet
Availability Zone = us-east-1a
IPv4 CIDR block =

Associate with the Route Table

Route table ID = FirewallSubnetRouteTable

Create Network Firewall Rule Group

In this objective, we will create the firewall rule groups.

Network firewall rule groups

Rule group type = Stateful rule group
Name = WebsiteWhiteList
Capacity = 10
Stateful rule group options = Domain list
Rule order = Default
Domain name source =
Source IPs type = Default
Protocols = HTTP and HTTPs
Action = Allow
Create Firewall Policy

In this objective, we will be creating the firewall policy, which will be linked to the firewall rule groups created in the previous objective.

Firewall Policies

Name = TestFirewall-{6randomnumbers}-Policy
Stream exception policy = Drop

Stateless Default Actions

Choose how to tream fragmented packets = Use the same actions for all packets
Action = Forward to stateful rule groups

Stateful Rule Evaluation Order and Default Actions

Rule order = Default

Stateful Rule Group

Add = WebsiteWhiteList

Create Network Firewall

In this objective, we get to create the network firewall and link to the firewall policy created previously.


Name = TestNWFW-{6randomnumbers}           Use the same numbers as you used for the policy for consistency
VPC = FirstVPC

Firewall Subnets

Availability Zone - us-east-1a
Subnet = FirewallSubnet
IP address type = IPv4

Associated Firewall Policy

Associate an existing firewall policy = Choose policy you created above

Reconfigure Route Tables to Permit Sending Traffic Destined for the Internet to the Network Firewall

In this objective, we will configure the private subnet route table to send all non-VPC traffic to the firewall.

Edit = FirstVPCRTPrivate

Add Default Route Information

Destination =
Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.

Next, we need to associate the InternetRouteTable with the Internet Gateway.

Under Edge associations:

Edit = add IGW called FirstIGW

Add Route to InternetRouteTable

Destination =
Target = Gateway Load balancer - choose the VPC endpoint, this will be your firewall endpoint.
Test Access from EC2 Instance

In this objective, you will test internet connectivity to an allowed and denied website.

Log into the EC2 instance using the credentials provided in the lab.

Issue the following command:


Additional Resources

Business is growing steadily at Windyfront Air Conditioning, and the company has invested in security by hiring a security engineer. The security engineer has reviewed the current AWS environment. Based on their findings, they have received approval from their manager to implement the AWS Network Firewall into a test environment to test its capabilities.

In this hands-on lab, we will be confirming basic connectivity from an EC2 instance out to the internet via the firewall to a webpage on the internet.

Once you have completed this lab, if you have access to the Cloud Playground, please go and recreate this yourself to explore other capabilities the Network Firewall has to offer. Or if you have any time remaining, please give this a go at the end of this lab.

For the FirewallSubnet, please use address range

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?