Ensure Network firewall resides in a dedicated subnet

The network firewall protects the availability zone where it resides. It is the gate to your AZ, and therefore should be alone in a small and dedicated subnet. You should not place other applications in a subnet where a firewall resides, because the network firewall can't filter traffic coming into or going out from that subnet.

Risk Level: Medium
Cloud Entity: AWS Network-Firewall
CloudGuard Rule ID: D9.TF.AWS.NET.65
Covered by Spectral: No
Category: Networking & Content Delivery


aws_networkfirewall_firewall should have subnet_mapping contain-all [getResource('aws_subnet',subnet_id) with [cidr_block numberOfHosts() <=15]]


To set Networks firewall in a new subnet, you should create a small subnet in the availability zone where you want the network firewall.
afterward, you will need to temporary disable subnet change protection with the following CLI command:

  1. aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --no-subnet-change-protection
    The flag --no-subnet-change-protection will set the subnet change protection to FALSE.

  2. associate the network firewall with the new subnet:
    aws network-firewall associate-subnets --firewall-arn <FW arn> --subnet-mappings SubnetId=<Subnet ID>

  3. disassociate the previous subnet from the network firewall:
    aws network-firewall disassociate-subnets --firewall-arn <FW arn> --subnet-ids <Subnet ID>

Dont forget to enable subnet change protection when you finish:
aws network-firewall update-subnet-change-protection --firewall-arn <FW arn> --subnet-change-protection

For more information: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-vpc.html
Architectures examples:

  1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/update-subnet-change-protection.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/associate-subnets.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/disassociate-subnets.html

AWS Network-Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).AWS Network Firewall���s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious act

Compliance Frameworks

  • Terraform AWS CIS Foundations