networkfirewall: AWS Network Firewall
In paws: Amazon Web Services Software Development Kit
networkfirewall R Documentation
AWS Network Firewall
Description
This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.
The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see Amazon Web Services APIs.
To view the complete list of Amazon Web Services Regions where Network Firewall is available, see Service endpoints and quotas in the Amazon Web Services General Reference.
To access Network Firewall using the IPv4 REST API endpoint: https://network-firewall.<region>.amazonaws.com
To access Network Firewall using the Dualstack (IPv4 and IPv6) REST API endpoint: https://network-firewall.<region>.aws.api
Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the Network Firewall Developer Guide.
Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 7.0.3. For information about Suricata, see the Suricata website and the Suricata User Guide.
You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:
Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.
Use custom lists of known bad domains to limit the types of domain names that your applications can access.
Perform deep packet inspection on traffic entering or leaving your VPC.
Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.
To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see Amazon VPC User Guide.
To start using Network Firewall, do the following:
(Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.
In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.
In Network Firewall, define the firewall behavior as follows:
Create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.
Create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.
In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.
In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.
After your firewall is established, you can add firewall endpoints for new Availability Zones by following the prior steps for the Amazon VPC setup and firewall subnet definitions. You can also add endpoints to Availability Zones that you're using in the firewall, either for the same VPC or for another VPC, by following the prior steps for the Amazon VPC setup, and defining the new VPC subnets as VPC endpoint associations.
Usage
networkfirewall(
config = list(),
credentials = list(),
endpoint = NULL,
region = NULL
)
Arguments
config
Optional configuration of credentials, endpoint, and/or region.
credentials:
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
endpoint: The complete URL to use for the constructed client.
region: The AWS Region used in instantiating the client.
close_connection: Immediately close all HTTP connections.
timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.
s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY.
sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
credentials
Optional credentials shorthand for the config parameter
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
endpoint
Optional shorthand for complete URL to use for the constructed client.
region
Optional shorthand for AWS Region used in instantiating the client.
Value
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
Service syntax
svc <- networkfirewall(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
Operations
accept_network_firewall_transit_gateway_attachment Accepts a transit gateway attachment request for Network Firewall
associate_availability_zones Associates the specified Availability Zones with a transit gateway-attached firewall
associate_firewall_policy Associates a FirewallPolicy to a Firewall
associate_subnets Associates the specified subnets in the Amazon VPC to the firewall
attach_rule_groups_to_proxy_configuration Attaches ProxyRuleGroup resources to a ProxyConfiguration
create_firewall Creates an Network Firewall Firewall and accompanying FirewallStatus for a VPC
create_firewall_policy Creates the firewall policy for the firewall according to the specifications
create_proxy Creates an Network Firewall Proxy
create_proxy_configuration Creates an Network Firewall ProxyConfiguration
create_proxy_rule_group Creates an Network Firewall ProxyRuleGroup
create_proxy_rules Creates Network Firewall ProxyRule resources
create_rule_group Creates the specified stateless or stateful rule group, which includes the rules for network traffic inspection, a capacity setting, and tags
create_tls_inspection_configuration Creates an Network Firewall TLS inspection configuration
create_vpc_endpoint_association Creates a firewall endpoint for an Network Firewall firewall
delete_firewall Deletes the specified Firewall and its FirewallStatus
delete_firewall_policy Deletes the specified FirewallPolicy
delete_network_firewall_transit_gateway_attachment Deletes a transit gateway attachment from a Network Firewall
delete_proxy Deletes the specified Proxy
delete_proxy_configuration Deletes the specified ProxyConfiguration
delete_proxy_rule_group Deletes the specified ProxyRuleGroup
delete_proxy_rules Deletes the specified ProxyRule(s)
delete_resource_policy Deletes a resource policy that you created in a PutResourcePolicy request
delete_rule_group Deletes the specified RuleGroup
delete_tls_inspection_configuration Deletes the specified TLSInspectionConfiguration
delete_vpc_endpoint_association Deletes the specified VpcEndpointAssociation
describe_firewall Returns the data objects for the specified firewall
describe_firewall_metadata Returns the high-level information about a firewall, including the Availability Zones where the Firewall is currently in use
describe_firewall_policy Returns the data objects for the specified firewall policy
describe_flow_operation Returns key information about a specific flow operation
describe_logging_configuration Returns the logging configuration for the specified firewall
describe_proxy Returns the data objects for the specified proxy
describe_proxy_configuration Returns the data objects for the specified proxy configuration
describe_proxy_rule Returns the data objects for the specified proxy configuration for the specified proxy rule group
describe_proxy_rule_group Returns the data objects for the specified proxy rule group
describe_resource_policy Retrieves a resource policy that you created in a PutResourcePolicy request
describe_rule_group Returns the data objects for the specified rule group
describe_rule_group_metadata High-level information about a rule group, returned by operations like create and describe
describe_rule_group_summary Returns detailed information for a stateful rule group
describe_tls_inspection_configuration Returns the data objects for the specified TLS inspection configuration
describe_vpc_endpoint_association Returns the data object for the specified VPC endpoint association
detach_rule_groups_from_proxy_configuration Detaches ProxyRuleGroup resources from a ProxyConfiguration
disassociate_availability_zones Removes the specified Availability Zone associations from a transit gateway-attached firewall
disassociate_subnets Removes the specified subnet associations from the firewall
get_analysis_report_results The results of a COMPLETED analysis report generated with StartAnalysisReport
list_analysis_reports Returns a list of all traffic analysis reports generated within the last 30 days
list_firewall_policies Retrieves the metadata for the firewall policies that you have defined
list_firewalls Retrieves the metadata for the firewalls that you have defined
list_flow_operation_results Returns the results of a specific flow operation
list_flow_operations Returns a list of all flow operations ran in a specific firewall
list_proxies Retrieves the metadata for the proxies that you have defined
list_proxy_configurations Retrieves the metadata for the proxy configuration that you have defined
list_proxy_rule_groups Retrieves the metadata for the proxy rule groups that you have defined
list_rule_groups Retrieves the metadata for the rule groups that you have defined
list_tags_for_resource Retrieves the tags associated with the specified resource
list_tls_inspection_configurations Retrieves the metadata for the TLS inspection configurations that you have defined
list_vpc_endpoint_associations Retrieves the metadata for the VPC endpoint associations that you have defined
put_resource_policy Creates or updates an IAM policy for your rule group, firewall policy, or firewall
reject_network_firewall_transit_gateway_attachment Rejects a transit gateway attachment request for Network Firewall
start_analysis_report Generates a traffic analysis report for the timeframe and traffic type you specify
start_flow_capture Begins capturing the flows in a firewall, according to the filters you define
start_flow_flush Begins the flushing of traffic from the firewall, according to the filters you define
tag_resource Adds the specified tags to the specified resource
untag_resource Removes the tags with the specified keys from the specified resource
update_availability_zone_change_protection Modifies the AvailabilityZoneChangeProtection setting for a transit gateway-attached firewall
update_firewall_analysis_settings Enables specific types of firewall analysis on a specific firewall you define
update_firewall_delete_protection Modifies the flag, DeleteProtection, which indicates whether it is possible to delete the firewall
update_firewall_description Modifies the description for the specified firewall
update_firewall_encryption_configuration A complex type that contains settings for encryption of your firewall resources
update_firewall_policy Updates the properties of the specified firewall policy
update_firewall_policy_change_protection Modifies the flag, ChangeProtection, which indicates whether it is possible to change the firewall
update_logging_configuration Sets the logging configuration for the specified firewall
update_proxy Updates the properties of the specified proxy
update_proxy_configuration Updates the properties of the specified proxy configuration
update_proxy_rule Updates the properties of the specified proxy rule
update_proxy_rule_group_priorities Updates proxy rule group priorities within a proxy configuration
update_proxy_rule_priorities Updates proxy rule priorities within a proxy rule group
update_rule_group Updates the rule settings for the specified rule group
update_subnet_change_protection Update subnet change protection
update_tls_inspection_configuration Updates the TLS inspection configuration settings for the specified TLS inspection configuration
Examples
## Not run:
svc <- networkfirewall()
svc$accept_network_firewall_transit_gateway_attachment(
Foo = 123
)
## End(Not run)
paws documentation built on June 2, 2026, 1:06 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
| networkfirewall | R Documentation |
AWS Network Firewall
Description
This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.
The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see Amazon Web Services APIs.
To view the complete list of Amazon Web Services Regions where Network Firewall is available, see Service endpoints and quotas in the Amazon Web Services General Reference.
To access Network Firewall using the IPv4 REST API endpoint: https://network-firewall.<region>.amazonaws.com
To access Network Firewall using the Dualstack (IPv4 and IPv6) REST API endpoint: https://network-firewall.<region>.aws.api
Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the Network Firewall Developer Guide.
Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 7.0.3. For information about Suricata, see the Suricata website and the Suricata User Guide.
You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:
Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.
Use custom lists of known bad domains to limit the types of domain names that your applications can access.
Perform deep packet inspection on traffic entering or leaving your VPC.
Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.
To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see Amazon VPC User Guide.
To start using Network Firewall, do the following:
(Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.
In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.
In Network Firewall, define the firewall behavior as follows:
Create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.
Create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.
In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.
In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.
After your firewall is established, you can add firewall endpoints for new Availability Zones by following the prior steps for the Amazon VPC setup and firewall subnet definitions. You can also add endpoints to Availability Zones that you're using in the firewall, either for the same VPC or for another VPC, by following the prior steps for the Amazon VPC setup, and defining the new VPC subnets as VPC endpoint associations.
Usage
networkfirewall(
config = list(),
credentials = list(),
endpoint = NULL,
region = NULL
)
Arguments
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
Value
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
Service syntax
svc <- networkfirewall(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
Operations
| accept_network_firewall_transit_gateway_attachment | Accepts a transit gateway attachment request for Network Firewall |
| associate_availability_zones | Associates the specified Availability Zones with a transit gateway-attached firewall |
| associate_firewall_policy | Associates a FirewallPolicy to a Firewall |
| associate_subnets | Associates the specified subnets in the Amazon VPC to the firewall |
| attach_rule_groups_to_proxy_configuration | Attaches ProxyRuleGroup resources to a ProxyConfiguration |
| create_firewall | Creates an Network Firewall Firewall and accompanying FirewallStatus for a VPC |
| create_firewall_policy | Creates the firewall policy for the firewall according to the specifications |
| create_proxy | Creates an Network Firewall Proxy |
| create_proxy_configuration | Creates an Network Firewall ProxyConfiguration |
| create_proxy_rule_group | Creates an Network Firewall ProxyRuleGroup |
| create_proxy_rules | Creates Network Firewall ProxyRule resources |
| create_rule_group | Creates the specified stateless or stateful rule group, which includes the rules for network traffic inspection, a capacity setting, and tags |
| create_tls_inspection_configuration | Creates an Network Firewall TLS inspection configuration |
| create_vpc_endpoint_association | Creates a firewall endpoint for an Network Firewall firewall |
| delete_firewall | Deletes the specified Firewall and its FirewallStatus |
| delete_firewall_policy | Deletes the specified FirewallPolicy |
| delete_network_firewall_transit_gateway_attachment | Deletes a transit gateway attachment from a Network Firewall |
| delete_proxy | Deletes the specified Proxy |
| delete_proxy_configuration | Deletes the specified ProxyConfiguration |
| delete_proxy_rule_group | Deletes the specified ProxyRuleGroup |
| delete_proxy_rules | Deletes the specified ProxyRule(s) |
| delete_resource_policy | Deletes a resource policy that you created in a PutResourcePolicy request |
| delete_rule_group | Deletes the specified RuleGroup |
| delete_tls_inspection_configuration | Deletes the specified TLSInspectionConfiguration |
| delete_vpc_endpoint_association | Deletes the specified VpcEndpointAssociation |
| describe_firewall | Returns the data objects for the specified firewall |
| describe_firewall_metadata | Returns the high-level information about a firewall, including the Availability Zones where the Firewall is currently in use |
| describe_firewall_policy | Returns the data objects for the specified firewall policy |
| describe_flow_operation | Returns key information about a specific flow operation |
| describe_logging_configuration | Returns the logging configuration for the specified firewall |
| describe_proxy | Returns the data objects for the specified proxy |
| describe_proxy_configuration | Returns the data objects for the specified proxy configuration |
| describe_proxy_rule | Returns the data objects for the specified proxy configuration for the specified proxy rule group |
| describe_proxy_rule_group | Returns the data objects for the specified proxy rule group |
| describe_resource_policy | Retrieves a resource policy that you created in a PutResourcePolicy request |
| describe_rule_group | Returns the data objects for the specified rule group |
| describe_rule_group_metadata | High-level information about a rule group, returned by operations like create and describe |
| describe_rule_group_summary | Returns detailed information for a stateful rule group |
| describe_tls_inspection_configuration | Returns the data objects for the specified TLS inspection configuration |
| describe_vpc_endpoint_association | Returns the data object for the specified VPC endpoint association |
| detach_rule_groups_from_proxy_configuration | Detaches ProxyRuleGroup resources from a ProxyConfiguration |
| disassociate_availability_zones | Removes the specified Availability Zone associations from a transit gateway-attached firewall |
| disassociate_subnets | Removes the specified subnet associations from the firewall |
| get_analysis_report_results | The results of a COMPLETED analysis report generated with StartAnalysisReport |
| list_analysis_reports | Returns a list of all traffic analysis reports generated within the last 30 days |
| list_firewall_policies | Retrieves the metadata for the firewall policies that you have defined |
| list_firewalls | Retrieves the metadata for the firewalls that you have defined |
| list_flow_operation_results | Returns the results of a specific flow operation |
| list_flow_operations | Returns a list of all flow operations ran in a specific firewall |
| list_proxies | Retrieves the metadata for the proxies that you have defined |
| list_proxy_configurations | Retrieves the metadata for the proxy configuration that you have defined |
| list_proxy_rule_groups | Retrieves the metadata for the proxy rule groups that you have defined |
| list_rule_groups | Retrieves the metadata for the rule groups that you have defined |
| list_tags_for_resource | Retrieves the tags associated with the specified resource |
| list_tls_inspection_configurations | Retrieves the metadata for the TLS inspection configurations that you have defined |
| list_vpc_endpoint_associations | Retrieves the metadata for the VPC endpoint associations that you have defined |
| put_resource_policy | Creates or updates an IAM policy for your rule group, firewall policy, or firewall |
| reject_network_firewall_transit_gateway_attachment | Rejects a transit gateway attachment request for Network Firewall |
| start_analysis_report | Generates a traffic analysis report for the timeframe and traffic type you specify |
| start_flow_capture | Begins capturing the flows in a firewall, according to the filters you define |
| start_flow_flush | Begins the flushing of traffic from the firewall, according to the filters you define |
| tag_resource | Adds the specified tags to the specified resource |
| untag_resource | Removes the tags with the specified keys from the specified resource |
| update_availability_zone_change_protection | Modifies the AvailabilityZoneChangeProtection setting for a transit gateway-attached firewall |
| update_firewall_analysis_settings | Enables specific types of firewall analysis on a specific firewall you define |
| update_firewall_delete_protection | Modifies the flag, DeleteProtection, which indicates whether it is possible to delete the firewall |
| update_firewall_description | Modifies the description for the specified firewall |
| update_firewall_encryption_configuration | A complex type that contains settings for encryption of your firewall resources |
| update_firewall_policy | Updates the properties of the specified firewall policy |
| update_firewall_policy_change_protection | Modifies the flag, ChangeProtection, which indicates whether it is possible to change the firewall |
| update_logging_configuration | Sets the logging configuration for the specified firewall |
| update_proxy | Updates the properties of the specified proxy |
| update_proxy_configuration | Updates the properties of the specified proxy configuration |
| update_proxy_rule | Updates the properties of the specified proxy rule |
| update_proxy_rule_group_priorities | Updates proxy rule group priorities within a proxy configuration |
| update_proxy_rule_priorities | Updates proxy rule priorities within a proxy rule group |
| update_rule_group | Updates the rule settings for the specified rule group |
| update_subnet_change_protection | Update subnet change protection |
| update_tls_inspection_configuration | Updates the TLS inspection configuration settings for the specified TLS inspection configuration |
Examples
## Not run:
svc <- networkfirewall()
svc$accept_network_firewall_transit_gateway_attachment(
Foo = 123
)
## End(Not run)
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.