Network Firewall
Definition
Managed service inspecting and filtering network traffic into and out of your VPC, blocking threats and enforcing security policies at the perimeter.
Use Cases
- Netflix: Protecting cloud network traffic and reducing exposure by controlling inbound and outbound access across many AWS accounts and VPCs. — Netflix has publicly described using AWS-native networking and security controls (including security groups, NACLs, and centralized policy enforcement) to manage traffic at scale; a managed network firewall service can be inserted into shared services VPCs to inspect and control traffic between VPCs and to/from the internet. (Improved security posture through centralized, consistent traffic controls and reduced operational overhead compared with managing self-hosted firewall appliances.)
- Capital One: Enforcing strict network segmentation and egress controls to reduce the risk of data exfiltration in a large AWS environment. — Capital One has publicly discussed extensive use of AWS security services and automated policy enforcement. A managed network firewall can be deployed in inspection VPCs/subnets to apply stateful rules, domain/URL-based egress controls, and threat-signature inspection for traffic between application tiers and outbound to the internet. (Stronger governance and more consistent enforcement of network security policies with less infrastructure management than traditional firewall appliances.)
- Shopify: Controlling and monitoring outbound traffic from production workloads to limit risky destinations and reduce the blast radius of compromised services. — Shopify has publicly shared its focus on defense-in-depth and layered controls in cloud environments. A managed network firewall can be used to enforce egress allow-lists, block known-bad IPs/domains, and log traffic for investigation without deploying and patching firewall VMs. (Reduced risk of outbound abuse and improved incident response through centralized logging and policy-driven egress restrictions.)
Provider Equivalents
- AWS: AWS Network Firewall
- Azure: Azure Firewall Premium
- GCP: Cloud Firewall (hierarchical firewall policies) + Cloud IDS
- OCI: OCI Network Firewall
Frequently Asked Questions
- What's the difference between a Network Firewall and a security group?
- A security group is a basic, instance-level (or interface-level) allow-list that controls which ports and protocols can reach a workload. A Network Firewall is a centralized, managed firewall that can inspect traffic more deeply (often stateful inspection, threat signatures, and advanced rule logic) and apply consistent policies across subnets/VPCs, including outbound (egress) controls and detailed logging.
- When should I use a Network Firewall?
- Use a Network Firewall when you need centralized traffic inspection and policy enforcement across multiple subnets or networks, especially for: (1) strict egress control to prevent data exfiltration, (2) inspecting east-west traffic between application tiers or VPCs, (3) blocking known malicious IPs/domains, (4) meeting compliance requirements that call for centralized firewalling and audit logs, or (5) replacing self-managed firewall appliances to reduce operational work.
- How much does a Network Firewall cost?
- Pricing is typically based on (1) hourly charges for firewall endpoints/instances, (2) the amount of data processed (GB), and sometimes (3) optional features like advanced threat inspection or logging. Costs increase with higher throughput, more availability zones/endpoints, and more traffic inspected. For accurate estimates, use the provider’s pricing page and calculator and model your expected GB processed and number of deployed endpoints.
Category: security
Difficulty: intermediate
Related Terms
See Also