

***************
NetworkFirewall
***************



======
Client
======



.. py:class:: NetworkFirewall.Client

  A low-level client representing AWS Network Firewall
  

  This is the API Reference for Network Firewall. This guide is for developers who need detailed information about the Network Firewall API actions, data types, and errors.

   

  The REST API requires you to handle connection details, such as calculating signatures, handling request retries, and error handling. For general information about using the Amazon Web Services REST APIs, see `Amazon Web Services APIs <https://docs.aws.amazon.com/general/latest/gr/aws-apis.html>`__.

   

  To view the complete list of Amazon Web Services Regions where Network Firewall is available, see `Service endpoints and quotas <https://docs.aws.amazon.com/general/latest/gr/network-firewall.html>`__ in the *Amazon Web Services General Reference*.

   

  To access Network Firewall using the IPv4 REST API endpoint: ``https://network-firewall.<region>.amazonaws.com``

   

  To access Network Firewall using the Dualstack (IPv4 and IPv6) REST API endpoint: ``https://network-firewall.<region>.aws.api``

   

  Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see `Amazon Web Services SDKs <http://aws.amazon.com/tools/#SDKs>`__.

   

  For descriptions of Network Firewall features, including and step-by-step instructions on how to use them through the Network Firewall console, see the `Network Firewall Developer Guide <https://docs.aws.amazon.com/network-firewall/latest/developerguide/>`__.

   

  Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible with Suricata, a free, open source network analysis and threat detection engine. Network Firewall supports Suricata version 7.0.3. For information about Suricata, see the `Suricata website <https://suricata.io/>`__ and the `Suricata User Guide <https://suricata.readthedocs.io/en/suricata-7.0.3/>`__.

   

  You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The following are just a few examples:

   

  
  * Allow domains or IP addresses for known Amazon Web Services service endpoints, such as Amazon S3, and block all other forms of traffic.
   
  * Use custom lists of known bad domains to limit the types of domain names that your applications can access.
   
  * Perform deep packet inspection on traffic entering or leaving your VPC.
   
  * Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.
  

   

  To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in Network Firewall. For information about using Amazon VPC, see `Amazon VPC User Guide <https://docs.aws.amazon.com/vpc/latest/userguide/>`__.

   

  To start using Network Firewall, do the following:

   

   
  * (Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.
   
  * In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnet for the sole use of Network Firewall.
   
  * In Network Firewall, define the firewall behavior as follows: 

    
    * Create stateless and stateful rule groups, to define the components of the network traffic filtering behavior that you want your firewall to have.
     
    * Create a firewall policy that uses your rule groups and specifies additional default traffic filtering behavior.
    

  
   
  * In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. Network Firewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined in the firewall policy.
   
  * In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.
   

   

  After your firewall is established, you can add firewall endpoints for new Availability Zones by following the prior steps for the Amazon VPC setup and firewall subnet definitions. You can also add endpoints to Availability Zones that you're using in the firewall, either for the same VPC or for another VPC, by following the prior steps for the Amazon VPC setup, and defining the new VPC subnets as VPC endpoint associations.

  ::

    
    import boto3
    
    client = boto3.client('network-firewall')

  

These are the available methods:

.. toctree::
  :maxdepth: 1
  :titlesonly:

  network-firewall/client/accept_network_firewall_transit_gateway_attachment
  network-firewall/client/associate_availability_zones
  network-firewall/client/associate_firewall_policy
  network-firewall/client/associate_subnets
  network-firewall/client/attach_rule_groups_to_proxy_configuration
  network-firewall/client/can_paginate
  network-firewall/client/close
  network-firewall/client/create_firewall
  network-firewall/client/create_firewall_policy
  network-firewall/client/create_proxy
  network-firewall/client/create_proxy_configuration
  network-firewall/client/create_proxy_rule_group
  network-firewall/client/create_proxy_rules
  network-firewall/client/create_rule_group
  network-firewall/client/create_tls_inspection_configuration
  network-firewall/client/create_vpc_endpoint_association
  network-firewall/client/delete_firewall
  network-firewall/client/delete_firewall_policy
  network-firewall/client/delete_network_firewall_transit_gateway_attachment
  network-firewall/client/delete_proxy
  network-firewall/client/delete_proxy_configuration
  network-firewall/client/delete_proxy_rule_group
  network-firewall/client/delete_proxy_rules
  network-firewall/client/delete_resource_policy
  network-firewall/client/delete_rule_group
  network-firewall/client/delete_tls_inspection_configuration
  network-firewall/client/delete_vpc_endpoint_association
  network-firewall/client/describe_firewall
  network-firewall/client/describe_firewall_metadata
  network-firewall/client/describe_firewall_policy
  network-firewall/client/describe_flow_operation
  network-firewall/client/describe_logging_configuration
  network-firewall/client/describe_proxy
  network-firewall/client/describe_proxy_configuration
  network-firewall/client/describe_proxy_rule
  network-firewall/client/describe_proxy_rule_group
  network-firewall/client/describe_resource_policy
  network-firewall/client/describe_rule_group
  network-firewall/client/describe_rule_group_metadata
  network-firewall/client/describe_rule_group_summary
  network-firewall/client/describe_tls_inspection_configuration
  network-firewall/client/describe_vpc_endpoint_association
  network-firewall/client/detach_rule_groups_from_proxy_configuration
  network-firewall/client/disassociate_availability_zones
  network-firewall/client/disassociate_subnets
  network-firewall/client/get_analysis_report_results
  network-firewall/client/get_paginator
  network-firewall/client/get_waiter
  network-firewall/client/list_analysis_reports
  network-firewall/client/list_firewall_policies
  network-firewall/client/list_firewalls
  network-firewall/client/list_flow_operation_results
  network-firewall/client/list_flow_operations
  network-firewall/client/list_proxies
  network-firewall/client/list_proxy_configurations
  network-firewall/client/list_proxy_rule_groups
  network-firewall/client/list_rule_groups
  network-firewall/client/list_tags_for_resource
  network-firewall/client/list_tls_inspection_configurations
  network-firewall/client/list_vpc_endpoint_associations
  network-firewall/client/put_resource_policy
  network-firewall/client/reject_network_firewall_transit_gateway_attachment
  network-firewall/client/start_analysis_report
  network-firewall/client/start_flow_capture
  network-firewall/client/start_flow_flush
  network-firewall/client/tag_resource
  network-firewall/client/untag_resource
  network-firewall/client/update_availability_zone_change_protection
  network-firewall/client/update_firewall_analysis_settings
  network-firewall/client/update_firewall_delete_protection
  network-firewall/client/update_firewall_description
  network-firewall/client/update_firewall_encryption_configuration
  network-firewall/client/update_firewall_policy
  network-firewall/client/update_firewall_policy_change_protection
  network-firewall/client/update_logging_configuration
  network-firewall/client/update_proxy
  network-firewall/client/update_proxy_configuration
  network-firewall/client/update_proxy_rule
  network-firewall/client/update_proxy_rule_group_priorities
  network-firewall/client/update_proxy_rule_priorities
  network-firewall/client/update_rule_group
  network-firewall/client/update_subnet_change_protection
  network-firewall/client/update_tls_inspection_configuration


==========
Paginators
==========


Paginators are available on a client instance via the ``get_paginator`` method. For more detailed instructions and examples on the usage of paginators, see the paginators `user guide <https://boto3.amazonaws.com/v1/documentation/api/latest/guide/paginators.html>`_.

The available paginators are:

.. toctree::
  :maxdepth: 1
  :titlesonly:

  network-firewall/paginator/GetAnalysisReportResults
  network-firewall/paginator/ListAnalysisReports
  network-firewall/paginator/ListFirewallPolicies
  network-firewall/paginator/ListFirewalls
  network-firewall/paginator/ListFlowOperationResults
  network-firewall/paginator/ListFlowOperations
  network-firewall/paginator/ListProxies
  network-firewall/paginator/ListProxyConfigurations
  network-firewall/paginator/ListProxyRuleGroups
  network-firewall/paginator/ListRuleGroups
  network-firewall/paginator/ListTLSInspectionConfigurations
  network-firewall/paginator/ListTagsForResource
  network-firewall/paginator/ListVpcEndpointAssociations
