Posted On: Oct 6, 2021

AWS Network Firewall now offers new configuration options for rule ordering and default drop, making it easier to write and process rules to monitor your virtual private cloud (VPC) traffic.

AWS Network Firewall enables you to create pass, drop, and alert rules based on their action type. Before today, AWS Network Firewall would evaluate all pass rules before evaluating any drop or alert rules and would evaluate all drop rules before evaluating any alert rules. Starting today, you can configure AWS Network Firewall to evaluate rules in the precise order you specify, regardless of their action type. For example, you can choose to evaluate a drop rule before a pass rule, or you can choose to evaluate an alert rule followed by a drop rule, followed by another alert rule. Strict rule ordering is an optional feature that can be applied to both stateful firewall rule groups and firewall policies. Additionally, you can now configure AWS Network Firewall to drop all non-matching traffic by default without having to write additional rules.

You can access the new configuration options for rule ordering and default drop from the Amazon VPC console or the Network Firewall API. Now available in 23 AWS Regions, AWS Network Firewall is a managed firewall service that makes it easy to deploy essential network protections for all your Amazon VPCs. The service automatically scales with network traffic volume to provide high-availability protections without the need to set up or maintain the underlying infrastructure. AWS Network Firewall is integrated with AWS Firewall Manager to provide you with central visibility and control of your firewall policies across multiple AWS accounts. To get started with AWS Network Firewall, please see the AWS Network Firewall product page and service documentation.