AWS Firewall manager Archives - AWS Security Architect https://awssecurityarchitect.com/category/aws-firewall-manager/ Experienced AWS, GCP and Azure Security Architect Thu, 30 Oct 2025 03:46:50 +0000 en-US hourly 1 https://wordpress.org/?v=6.9 214477604 Firewall Manager and Shared VPCs in AWS https://awssecurityarchitect.com/aws-network-security/firewall-manager-and-shared-vpcs-in-aws/ https://awssecurityarchitect.com/aws-network-security/firewall-manager-and-shared-vpcs-in-aws/#respond Thu, 30 Oct 2025 03:42:17 +0000 https://awssecurityarchitect.com/?p=407   Shared VPC Use Cases & Shared VPC vs Transit Gateway This document provides additional Shared VPC use cases for AWS Network Firewall and explains how Shared VPCs differ technically […]

The post Firewall Manager and Shared VPCs in AWS appeared first on AWS Security Architect.

]]>  

Shared VPC Use Cases & Shared VPC vs Transit Gateway

This document provides additional Shared VPC use cases for AWS Network Firewall and explains how Shared VPCs differ technically and operationally from AWS Transit Gateways (TGWs).

Network Firewall Policies — Shared VPC Support

When AWS Network Firewall is deployed through Firewall Manager in a Shared VPC environment, it provides consistent network-layer inspection across workloads owned by multiple AWS accounts but hosted in a single VPC owned by the networking (host) account.

Shared VPC Use Cases for Network Firewall
  • Centralized inspection for multi-account applications: Multiple business units (each with separate AWS accounts) can deploy workloads into shared subnets of a central VPC. A single Network Firewall instance inspects north–south and east–west traffic.
  • Segregation between trust zones: Shared VPCs allow separate subnets for different security tiers such as Application, Database, and Management tiers—all inspected through centralized firewall endpoints.
  • Central egress control: Outbound traffic from all member accounts can be routed through shared egress inspection subnets where Firewall Manager enforces domain filtering, data-loss prevention (DLP) signatures, or threat-intelligence blocking.
  • Hub-and-spoke simplification: Instead of deploying firewalls in each spoke account, Shared VPCs enable a single firewall deployment protecting workloads across accounts.
  • Consistent DNS and Security Policy Integration: Shared VPCs simplify DNS Firewall and Security Group policy application because all traffic passes through common resolver endpoints and SG baselines.
  • Shared services protection: Protect central shared services such as CI/CD pipelines, Active Directory, and artifact repositories within the same VPC using a unified inspection layer.
  • East–West microsegmentation: Enforce inter-subnet communication controls between workloads of different accounts without additional firewalls per account.
  • Tenant isolation: Maintain logical separation between workloads from different participant accounts using route tables and firewall rules within a single address space.
  • Standardized SaaS egress policies: Permit access to approved SaaS domains while blocking all unapproved external destinations through DNS and firewall rule sets.
  • Gradual onboarding: Simplify onboarding of new participant accounts to a pre-secured network environment with inherited inspection and logging capabilities.

How Shared VPCs Differ from Transit Gateways

While both Shared VPCs and Transit Gateways enable multi-account connectivity, they operate at different scopes and layers of the network.

Aspect Shared VPC Transit Gateway (TGW)
Scope Single VPC shared across accounts in one AWS Region and Organization. Regional routing hub connecting multiple VPCs and on-prem networks.
Ownership Model One host account owns the VPC; participant accounts share designated subnets. Each account owns its own VPC; Transit Gateway connects them through attachments.
Network Plane Operates within one VPC’s address space, eliminating inter-VPC routing overhead. Creates an overlay routing fabric between multiple VPCs with explicit route propagation.
Security Controls Centralized via Security Groups, NACLs, and Network/DNS Firewall managed by Firewall Manager. Enforced per VPC or via centralized inspection VPCs using TGW route table redirection.
Traffic Visibility Unified visibility through a single VPC’s Flow Logs and logging infrastructure. Requires TGW Flow Logs or central inspection for consistent observability.
Use Case Fit Best for closely coupled workloads, shared services, or microservice clusters within one Region. Ideal for distributed architectures, hybrid connectivity, and multi-region or multi-BU environments.
Performance Low latency—no additional routing hops. Additional hop through TGW introduces slight latency overhead.
Cost No per-GB data processing charge. Charged per GB of data processed and per attachment.
Design Implications
  • Shared VPCs simplify policy enforcement because all traffic remains within a single VPC boundary—making it easier for Firewall Manager, Network Firewall, and DNS Firewall to apply consistent controls.
  • Transit Gateways are better suited for large, multi-region, or hybrid environments where many VPCs or on-prem networks must interconnect.
  • Combined Approach: Many enterprises deploy Shared VPCs for intra-business-unit workloads and Transit Gateways for cross-business-unit or cross-region routing.

Tip: Pair Firewall Manager policies (Network Firewall, Security Group, WAF, DNS Firewall) with centralized logging to S3 or CloudWatch and integrate with AWS Security Hub or GuardDuty for organization-wide visibility and automated compliance.

 

The post Firewall Manager and Shared VPCs in AWS appeared first on AWS Security Architect.

]]> https://awssecurityarchitect.com/aws-network-security/firewall-manager-and-shared-vpcs-in-aws/feed/ 0 407 AWS Firewall Manager https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/ https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/#respond Fri, 24 Oct 2025 14:50:37 +0000 https://awssecurityarchitect.com/?p=382   Firewall Manager in Shared VPC Environments How AWS Firewall Manager (FMS) governs centralized network and security policies in Shared VPC deployments, and which aspects of security are controlled at […]

The post AWS Firewall Manager appeared first on AWS Security Architect.

]]>  

Firewall Manager in Shared VPC Environments

How AWS Firewall Manager (FMS) governs centralized network and security policies in Shared VPC deployments, and which aspects of security are controlled at the organization level.

Key Idea: In a Shared VPC, the host account owns all network infrastructure, while participant accounts host workloads. AWS Firewall Manager operates across all these accounts to enforce uniform firewall, WAF, and SG policies centrally from the security administrator account.

1. AWS Firewall Manager Overview

AWS Firewall Manager (FMS) is a centralized security policy enforcement service integrated with AWS Organizations. It allows security administrators to define firewall, WAF, and network protection policies in a single account and automatically apply them across member accounts.

When used with Shared VPCs, FMS integrates directly with:

  • AWS Network Firewall (for centralized network-layer protection)
  • AWS WAF (for application-layer protection)
  • Security Group policies (for instance-level enforcement)
  • Route 53 Resolver DNS Firewall (for domain-based filtering)

2. How Firewall Manager Operates in a Shared VPC

Shared VPC Structure Recap

  • The Host Account owns the VPC, subnets, NACLs, and routing tables.
  • Participant Accounts deploy workloads (EC2, ECS tasks, ENIs) in the shared subnets.
  • Firewall Manager Admin Account manages organization-wide policies.

Firewall Manager’s Scope in Shared VPCs

  • FMS operates at the organization level (across accounts), not just per VPC.
  • For Shared VPCs, FMS applies policies directly to the Host Account’s VPC since it owns the network layer.
  • It automatically identifies and applies security group compliance or Network Firewall deployments to the shared subnets.
  • Participant accounts cannot override enforced SG, WAF, or firewall rules defined by FMS.

Shared VPC Security Group and Traffic Flow Diagram

AWS Firewall Manager
AWS Firewall Manager

Diagram: Firewall Manager centrally enforces SG, Network Firewall, and DNS Firewall across shared subnets and participant workloads.

3. Security Aspects Controlled by Firewall Manager

Security Aspect Managed By Description
Network Firewall Policies Firewall Manager (Host Account) Automatically deploys AWS Network Firewall endpoints into shared subnets. Enforces centralized stateful and stateless rule groups (e.g., IPS/IDS, egress filtering, domain filtering).
Security Group Policies Firewall Manager (Org Admin) Defines allowed/denied SG rules across all accounts. Prevents overly permissive rules (e.g., 0.0.0.0/0 on SSH). Can audit and auto-remediate SGs in participant accounts.
AWS WAF Rules Firewall Manager Applies web ACLs consistently across Application Load Balancers or CloudFront distributions hosted in shared or member accounts.
DNS Firewall Rules Firewall Manager Centralized domain name blocking or allowing across Route 53 Resolver endpoints used by workloads in shared subnets.
Policy Enforcement Visibility Firewall Manager Aggregates compliance status (e.g., missing SG rules, unassociated firewalls) across accounts in the AWS Organization and sends findings to Security Hub or CloudWatch.
Flow Logging and Monitoring Host Account Firewall Manager integrates with GuardDuty and VPC Flow Logs for detecting anomalous traffic patterns in shared VPCs.

4. Example: Shared VPC Policy Application Flow

  1. Security Admin in the Firewall Manager administrator account defines a Network Firewall policy for the Shared VPC’s subnets.
  2. FMS automatically deploys firewall endpoints in the host account’s subnets (e.g., Inspection VPC or shared subnet).
  3. Security Group Policy is enforced so that participant workloads cannot create SGs with unrestricted ingress/egress.
  4. Traffic from participant EC2 instances is routed through the centralized Network Firewall (for east-west and north-south inspection).
  5. Compliance violations (e.g., missing SG association) appear in the FMS dashboard for remediation.

5. Best Practices for FMS in Shared VPCs

  • Designate a dedicated Security Administrator Account with FMS admin privileges.
  • Deploy Network Firewall in dedicated inspection subnets within the host account.
  • Apply security group policies that define baseline ingress/egress templates for all workloads.
  • Enable auto-remediation for SG and WAF noncompliance to reduce drift.
  • Integrate FMS with Security Hub and CloudWatch for unified visibility and alerting.
  • Regularly audit RAM sharing configuration to ensure correct subnet and SG exposure.

© 2025 — AWS Firewall Manager & Shared VPC Security Architecture Reference

 

The post AWS Firewall Manager appeared first on AWS Security Architect.

]]> https://awssecurityarchitect.com/aws-firewall-manager/aws-firewall-manager/feed/ 0 382