Ensure Network firewall resides in a dedicated subnet

The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.

Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.AWS.NET.65
Covered by Spectral: Yes
Category: Networking & Content Delivery


NetworkFirewall should have subnetMappings contain-all [getResource('Subnet', subnetId) contain [cidr numberOfHosts() <=15]]


From Command Line
To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.

  1. Afterwards, you need to temporary disable subnet change protection with the following CLI command:
aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --no-subnet-change-protection

Note: The flag --no-subnet-change-protection will set the subnet change protection to FALSE.

  1. Use below command to associate the network firewall with the new subnet:
aws network-firewall associate-subnets --firewall-arn FW_ARN --subnet-mappings SubnetId= SUBNET_ID
  1. Use below command to disassociate the previous subnet from the network firewall:
aws network-firewall disassociate-subnets --firewall-arn FW_ARN --subnet-ids SUBNET_ID

Note: Dont forget to enable subnet change protection when you finish:

aws network-firewall update-subnet-change-protection --firewall-arn FW_ARN --subnet-change-protection


  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
  2. https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset