Upload File

aws network firewall · 2021. 1. 13. · token, network firewall performs your updates regardless...

  • Home
  • Documents
  • AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional
171
AWS Network Firewall API Reference API Version 2020-11-12

Upload: others

Post on 24-Jan-2021

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network FirewallAPI Reference

API Version 2020-11-12

Page 2: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

AWS Network Firewall: API ReferenceCopyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Amazon.

Page 3: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Table of ContentsWelcome .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

AssociateFirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

AssociateSubnets .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

CreateFirewall ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CreateFirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

CreateRuleGroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

DeleteFirewall ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

DeleteFirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

DeleteResourcePolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

API Version 2020-11-12iii

Page 4: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

DeleteRuleGroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

DescribeFirewall ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

DescribeFirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

DescribeLoggingConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

DescribeResourcePolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

DescribeRuleGroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

DisassociateSubnets .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

ListFirewallPolicies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

API Version 2020-11-12iv

Page 5: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

ListFirewalls ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

ListRuleGroups .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

ListTagsForResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

PutResourcePolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

TagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

UntagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

UpdateFirewallDeleteProtection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

UpdateFirewallDescription .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

UpdateFirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

API Version 2020-11-12v

Page 6: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

UpdateFirewallPolicyChangeProtection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

UpdateLoggingConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

UpdateRuleGroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

UpdateSubnetChangeProtection .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Data Types .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110ActionDefinition .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Address .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Attachment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

CustomAction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Dimension .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Firewall ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

FirewallMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

FirewallPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

API Version 2020-11-12vi

Page 7: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122FirewallPolicyMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

FirewallPolicyResponse .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

FirewallStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Header .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

IPSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

LogDestinationConfig .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

LoggingConfiguration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

MatchAttributes .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

PerObjectStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

PortRange .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

PortSet .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

PublishMetricAction .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

RuleDefinition .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

RuleGroup .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

RuleGroupMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

RuleGroupResponse .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

RuleOption .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

RulesSource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

RulesSourceList ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

API Version 2020-11-12vii

Page 8: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148RuleVariables .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

StatefulRule .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

StatefulRuleGroupReference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

StatelessRule .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

StatelessRuleGroupReference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

StatelessRulesAndCustomActions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

SubnetMapping .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

SyncState .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Tag .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

TCPFlagField .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Common Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Common Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

API Version 2020-11-12viii

Page 9: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

WelcomeThis is the API Reference for AWS Network Firewall. This guide is for developers who need detailedinformation about the Network Firewall API actions, data types, and errors.

• The REST API requires you to handle connection details, such as calculating signatures, handlingrequest retries, and error handling. For general information about using the AWS REST APIs, see AWSAPIs.

To access Network Firewall using the REST API endpoint: https://network-firewall.<region>.amazonaws.com

• Alternatively, you can use one of the AWS SDKs to access an API that's tailored to the programminglanguage or platform that you're using. For more information, see AWS SDKs.

• For descriptions of Network Firewall features, including and step-by-step instructions on how to usethem through the Network Firewall console, see the Network Firewall Developer Guide.

Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention servicefor Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at theperimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway,NAT gateway, or over VPN or AWS Direct Connect. Network Firewall uses rules that are compatible withSuricata, a free, open source intrusion detection system (IDS) engine. AWS Network Firewall supportsSuricata version 5.0.2. For information about Suricata, see the Suricata website.

You can use Network Firewall to monitor and protect your VPC traffic in a number of ways. The followingare just a few examples:

• Allow domains or IP addresses for known AWS service endpoints, such as Amazon S3, and block allother forms of traffic.

• Use custom lists of known bad domains to limit the types of domain names that your applications canaccess.

• Perform deep packet inspection on traffic entering or leaving your VPC.

• Use stateful protocol detection to filter protocols like HTTPS, regardless of the port used.

To enable Network Firewall for your VPCs, you perform steps in both Amazon VPC and in NetworkFirewall. For information about using Amazon VPC, see Amazon VPC User Guide.

To start using Network Firewall, do the following:

1. (Optional) If you don't already have a VPC that you want to protect, create it in Amazon VPC.

2. In Amazon VPC, in each Availability Zone where you want to have a firewall endpoint, create a subnetfor the sole use of Network Firewall.

3. In Network Firewall, create stateless and stateful rule groups, to define the components of thenetwork traffic filtering behavior that you want your firewall to have.

4. In Network Firewall, create a firewall policy that uses your rule groups and specifies additional defaulttraffic filtering behavior.

5. In Network Firewall, create a firewall and specify your new firewall policy and VPC subnets. NetworkFirewall creates a firewall endpoint in each subnet that you specify, with the behavior that's defined inthe firewall policy.

6. In Amazon VPC, use ingress routing enhancements to route traffic through the new firewall endpoints.

API Version 2020-11-121

https://docs.aws.amazon.com/general/latest/gr/aws-apis.html
https://docs.aws.amazon.com/general/latest/gr/aws-apis.html
http://aws.amazon.com/tools/#SDKs
https://docs.aws.amazon.com/network-firewall/latest/developerguide/
https://suricata-ids.org/
https://docs.aws.amazon.com/vpc/latest/userguide/
Page 10: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

This document was last published on May 29, 2021.

API Version 2020-11-122

Page 11: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

ActionsThe following actions are supported:

• AssociateFirewallPolicy (p. 4)• AssociateSubnets (p. 8)• CreateFirewall (p. 12)• CreateFirewallPolicy (p. 17)• CreateRuleGroup (p. 21)• DeleteFirewall (p. 27)• DeleteFirewallPolicy (p. 31)• DeleteResourcePolicy (p. 34)• DeleteRuleGroup (p. 36)• DescribeFirewall (p. 39)• DescribeFirewallPolicy (p. 43)• DescribeLoggingConfiguration (p. 47)• DescribeResourcePolicy (p. 50)• DescribeRuleGroup (p. 52)• DisassociateSubnets (p. 57)• ListFirewallPolicies (p. 61)• ListFirewalls (p. 64)• ListRuleGroups (p. 67)• ListTagsForResource (p. 70)• PutResourcePolicy (p. 73)• TagResource (p. 76)• UntagResource (p. 78)• UpdateFirewallDeleteProtection (p. 80)• UpdateFirewallDescription (p. 84)• UpdateFirewallPolicy (p. 88)• UpdateFirewallPolicyChangeProtection (p. 92)• UpdateLoggingConfiguration (p. 96)• UpdateRuleGroup (p. 100)• UpdateSubnetChangeProtection (p. 106)

API Version 2020-11-123

Page 12: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceAssociateFirewallPolicy

AssociateFirewallPolicyAssociates a FirewallPolicy (p. 121) to a Firewall (p. 117).

A firewall policy defines how to monitor and manage your VPC network traffic, using a collection ofinspection rule groups and other settings. Each firewall requires one firewall policy association, and youcan use the same firewall policy for multiple firewalls.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 4)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 4)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoFirewallPolicyArn (p. 4)

The Amazon Resource Name (ARN) of the firewall policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

API Version 2020-11-124

Page 13: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Pattern: ^arn:aws.*

Required: YesUpdateToken (p. 4)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 5)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 5)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

API Version 2020-11-125

Page 14: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Pattern: ^[a-zA-Z0-9-]+$FirewallPolicyArn (p. 5)

The Amazon Resource Name (ARN) of the firewall policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*UpdateToken (p. 5)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400

API Version 2020-11-126

Page 15: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-127

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/AssociateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/AssociateFirewallPolicy
Page 16: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceAssociateSubnets

AssociateSubnetsAssociates the specified subnets in the Amazon VPC to the firewall. You can specify one subnet for eachof the Availability Zones that the VPC spans.

This request creates an AWS Network Firewall firewall endpoint in each of the subnets. To enable thefirewall's protections, you must also modify the VPC's route tables for each subnet's Availability Zone, toredirect the traffic that's coming into and going out of the zone through the firewall endpoint.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetMappings": [ { "SubnetId": "string" } ], "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 8)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 8)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoSubnetMappings (p. 8)

The IDs of the subnets that you want to associate with the firewall.

API Version 2020-11-128

Page 17: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Type: Array of SubnetMapping (p. 156) objects

Required: YesUpdateToken (p. 8)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetMappings": [ { "SubnetId": "string" } ], "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 9)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 9)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

API Version 2020-11-129

Page 18: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$SubnetMappings (p. 9)

The IDs of the subnets that are associated with the firewall.

Type: Array of SubnetMapping (p. 156) objectsUpdateToken (p. 9)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InsufficientCapacityException

AWS doesn't currently have enough available capacity to fulfill your request. Try your request later.

HTTP Status Code: 500InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.

API Version 2020-11-1210

Page 19: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1211

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/AssociateSubnets
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/AssociateSubnets
Page 20: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceCreateFirewall

CreateFirewallCreates an AWS Network Firewall Firewall (p. 117) and accompanying FirewallStatus (p. 126) for aVPC.

The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings thatyou can define at creation include the firewall policy, the subnets in your VPC to use for the firewallendpoints, and any tags that are attached to the firewall AWS resource.

After you create a firewall, you can provide additional settings, like the logging configuration.

To update the settings for a firewall, you use the operations that apply to the settingsthemselves, for example UpdateLoggingConfiguration (p. 96), AssociateSubnets (p. 8), andUpdateFirewallDeleteProtection (p. 80).

To manage a firewall's tags, use the standard AWS resource tagging operations,ListTagsForResource (p. 70), TagResource (p. 76), and UntagResource (p. 78).

To retrieve information about firewalls, use ListFirewalls (p. 64) and DescribeFirewall (p. 39).

Request Syntax{ "DeleteProtection": boolean, "Description": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "FirewallPolicyChangeProtection": boolean, "SubnetChangeProtection": boolean, "SubnetMappings": [ { "SubnetId": "string" } ], "Tags": [ { "Key": "string", "Value": "string" } ], "VpcId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

DeleteProtection (p. 12)

A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that thefirewall is protected against deletion. Use this setting to protect against accidentally deleting afirewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.

Type: Boolean

Required: No

API Version 2020-11-1212

Page 21: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

Description (p. 12)

A description of the firewall.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoFirewallName (p. 12)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: YesFirewallPolicyArn (p. 12)

The Amazon Resource Name (ARN) of the FirewallPolicy (p. 121) that you want to use for thefirewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesFirewallPolicyChangeProtection (p. 12)

A setting indicating whether the firewall is protected against a change to the firewall policyassociation. Use this setting to protect against accidentally modifying the firewall policy for afirewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: NoSubnetChangeProtection (p. 12)

A setting indicating whether the firewall is protected against changes to the subnet associations. Usethis setting to protect against accidentally modifying the subnet associations for a firewall that is inuse. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: NoSubnetMappings (p. 12)

The public subnets to use for your Network Firewall firewalls. Each subnet must belong to a differentAvailability Zone in the VPC. Network Firewall creates a firewall endpoint in each subnet.

Type: Array of SubnetMapping (p. 156) objects

Required: Yes

API Version 2020-11-1213

Page 22: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Tags (p. 12)

The key:value pairs to associate with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: NoVpcId (p. 12)

The unique identifier of the VPC where Network Firewall should create the firewall.

You can't change this setting after you create the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^vpc-[0-9a-f]+$

Required: Yes

Response Syntax{ "Firewall": { "DeleteProtection": boolean, "Description": "string", "FirewallArn": "string", "FirewallId": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "FirewallPolicyChangeProtection": boolean, "SubnetChangeProtection": boolean, "SubnetMappings": [ { "SubnetId": "string" } ], "Tags": [ { "Key": "string", "Value": "string" } ], "VpcId": "string" }, "FirewallStatus": { "ConfigurationSyncStateSummary": "string", "Status": "string", "SyncStates": { "string" : { "Attachment": { "EndpointId": "string", "Status": "string", "SubnetId": "string" }, "Config": { "string" : { "SyncStatus": "string", "UpdateToken": "string"

API Version 2020-11-1214

Page 23: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

} } } } }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Firewall (p. 14)

The configuration settings for the firewall. These settings include the firewall policy and the subnetsin your VPC to use for the firewall endpoints.

Type: Firewall (p. 117) objectFirewallStatus (p. 14)

Detailed information about the current status of a Firewall (p. 117). You can retrieve this for afirewall by calling DescribeFirewall (p. 39) and providing the firewall name and ARN.

Type: FirewallStatus (p. 126) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InsufficientCapacityException

AWS doesn't currently have enough available capacity to fulfill your request. Try your request later.

HTTP Status Code: 500InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400

API Version 2020-11-1215

Page 24: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

LimitExceededException

Unable to perform the operation because doing so would violate a limit setting.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1216

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/CreateFirewall
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/CreateFirewall
Page 25: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceCreateFirewallPolicy

CreateFirewallPolicyCreates the firewall policy for the firewall according to the specifications.

An AWS Network Firewall firewall policy defines the behavior of a firewall, in a collection of stateless andstateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

Request Syntax{ "Description": "string", "DryRun": boolean, "FirewallPolicy": { "StatefulRuleGroupReferences": [ { "ResourceArn": "string" } ], "StatelessCustomActions": [ { "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessDefaultActions": [ "string" ], "StatelessFragmentDefaultActions": [ "string" ], "StatelessRuleGroupReferences": [ { "Priority": number, "ResourceArn": "string" } ] }, "FirewallPolicyName": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

Description (p. 17)

A description of the firewall policy.

API Version 2020-11-1217

Page 26: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoDryRun (p. 17)

Indicates whether you want Network Firewall to just check the validity of the request, rather thanrun the request.

If set to TRUE, Network Firewall checks whether the request can run successfully, but doesn'tactually make the requested changes. The call returns the value that the request would return ifyou ran it with dry run set to FALSE, but doesn't make additions or changes to your resources. Thisoption allows you to make sure that you have the required permissions to run the request and thatyour request parameters are valid.

If set to FALSE, Network Firewall makes the requested changes to your resources.

Type: Boolean

Required: NoFirewallPolicy (p. 17)

The rule groups and policy actions to use in the firewall policy.

Type: FirewallPolicy (p. 121) object

Required: YesFirewallPolicyName (p. 17)

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: YesTags (p. 17)

The key:value pairs to associate with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: No

Response Syntax{ "FirewallPolicyResponse": { "Description": "string",

API Version 2020-11-1218

Page 27: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

"FirewallPolicyArn": "string", "FirewallPolicyId": "string", "FirewallPolicyName": "string", "FirewallPolicyStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallPolicyResponse (p. 18)

The high-level properties of a firewall policy. This, along with the FirewallPolicy (p. 121), define thepolicy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy (p. 43).

Type: FirewallPolicyResponse (p. 124) objectUpdateToken (p. 18)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe firewall policy. The token marks the state of the policy resource at the time of the request.

To make changes to the policy, you provide the token in your request. Network Firewall uses thetoken to ensure that the policy hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the firewall policyagain to get a current copy of it with current token. Reapply your changes as needed, then try theoperation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InsufficientCapacityException

AWS doesn't currently have enough available capacity to fulfill your request. Try your request later.

HTTP Status Code: 500InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500

API Version 2020-11-1219

Page 28: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400LimitExceededException

Unable to perform the operation because doing so would violate a limit setting.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1220

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/CreateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/CreateFirewallPolicy
Page 29: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceCreateRuleGroup

CreateRuleGroupCreates the specified stateless or stateful rule group, which includes the rules for network trafficinspection, a capacity setting, and tags.

You provide your rule group specification in your request using either RuleGroup or Rules.

Request Syntax{ "Capacity": number, "Description": "string", "DryRun": boolean, "RuleGroup": { "RulesSource": { "RulesSourceList": { "GeneratedRulesType": "string", "Targets": [ "string" ], "TargetTypes": [ "string" ] }, "RulesString": "string", "StatefulRules": [ { "Action": "string", "Header": { "Destination": "string", "DestinationPort": "string", "Direction": "string", "Protocol": "string", "Source": "string", "SourcePort": "string" }, "RuleOptions": [ { "Keyword": "string", "Settings": [ "string" ] } ] } ], "StatelessRulesAndCustomActions": { "CustomActions": [ { "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessRules": [ { "Priority": number, "RuleDefinition": { "Actions": [ "string" ], "MatchAttributes": { "DestinationPorts": [

API Version 2020-11-1221

Page 30: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

{ "FromPort": number, "ToPort": number } ], "Destinations": [ { "AddressDefinition": "string" } ], "Protocols": [ number ], "SourcePorts": [ { "FromPort": number, "ToPort": number } ], "Sources": [ { "AddressDefinition": "string" } ], "TCPFlags": [ { "Flags": [ "string" ], "Masks": [ "string" ] } ] } } } ] } }, "RuleVariables": { "IPSets": { "string" : { "Definition": [ "string" ] } }, "PortSets": { "string" : { "Definition": [ "string" ] } } } }, "RuleGroupName": "string", "Rules": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "Type": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

API Version 2020-11-1222

Page 31: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

Capacity (p. 21)

The maximum operating resources that this rule group can use. Rule group capacity is fixed atcreation. When you update a rule group, you are limited to this capacity. When you reference a rulegroup from a firewall policy, Network Firewall reserves this capacity for the rule group.

You can retrieve the capacity that would be required for a rule group before you create the rulegroup by calling CreateRuleGroup (p. 21) with DryRun set to TRUE.

NoteYou can't change or exceed this capacity when you update the rule group, so leave room foryour rule group to grow.

Capacity for a stateless rule group

For a stateless rule group, the capacity required is the sum of the capacity requirements of theindividual rules that you expect to have in the rule group.

To calculate the capacity requirement of a single rule, multiply the capacity requirement values ofeach of the rule's match settings:• A match setting with no criteria specified has a value of 1.• A match setting with Any specified has a value of 1.• All other match settings have a value equal to the number of elements provided in the

setting. For example, a protocol setting ["UDP"] and a source setting ["10.0.0.0/24"]each have a value of 1. A protocol setting ["UDP","TCP"] has a value of 2. A source setting["10.0.0.0/24","10.0.0.1/24","10.0.0.2/24"] has a value of 3.

A rule with no criteria specified in any of its match settings has a capacity requirement of 1. A rulewith protocol setting ["UDP","TCP"], source setting ["10.0.0.0/24","10.0.0.1/24","10.0.0.2/24"],and a single specification or no specification for each of the other match settings has a capacityrequirement of 6.

Capacity for a stateful rule group

For a stateful rule group, the minimum capacity required is the number of individual rules that youexpect to have in the rule group.

Type: Integer

Required: YesDescription (p. 21)

A description of the rule group.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoDryRun (p. 21)

Indicates whether you want Network Firewall to just check the validity of the request, rather thanrun the request.

If set to TRUE, Network Firewall checks whether the request can run successfully, but doesn'tactually make the requested changes. The call returns the value that the request would return ifyou ran it with dry run set to FALSE, but doesn't make additions or changes to your resources. This

API Version 2020-11-1223

Page 32: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

option allows you to make sure that you have the required permissions to run the request and thatyour request parameters are valid.

If set to FALSE, Network Firewall makes the requested changes to your resources.

Type: Boolean

Required: NoRuleGroup (p. 21)

An object that defines the rule group rules.

NoteYou must provide either this rule group setting or a Rules setting, but not both.

Type: RuleGroup (p. 142) object

Required: NoRuleGroupName (p. 21)

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: YesRules (p. 21)

A string containing stateful rule group rules specifications in Suricata flat format, with one rule perline. Use this to import your existing Suricata compatible rule groups.

NoteYou must provide either this rules setting or a populated RuleGroup setting, but not both.

You can provide your rule group specification in Suricata flat format through this setting whenyou create or update your rule group. The call response returns a RuleGroup (p. 142) object thatNetwork Firewall has populated from your string.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 1000000.

Required: NoTags (p. 21)

The key:value pairs to associate with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: NoType (p. 21)

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it containsstateless rules. If it is stateful, it contains stateful rules.

Type: String

API Version 2020-11-1224

Page 33: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Valid Values: STATELESS | STATEFUL

Required: Yes

Response Syntax{ "RuleGroupResponse": { "Capacity": number, "Description": "string", "RuleGroupArn": "string", "RuleGroupId": "string", "RuleGroupName": "string", "RuleGroupStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "Type": "string" }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

RuleGroupResponse (p. 25)

The high-level properties of a rule group. This, along with the RuleGroup (p. 142), define the rulegroup. You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

Type: RuleGroupResponse (p. 144) objectUpdateToken (p. 25)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe rule group. The token marks the state of the rule group resource at the time of the request.

To make changes to the rule group, you provide the token in your request. Network Firewall uses thetoken to ensure that the rule group hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the rule group again toget a current copy of it with a current token. Reapply your changes as needed, then try the operationagain using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

API Version 2020-11-1225

Page 34: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InsufficientCapacityException

AWS doesn't currently have enough available capacity to fulfill your request. Try your request later.

HTTP Status Code: 500InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400LimitExceededException

Unable to perform the operation because doing so would violate a limit setting.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1226

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/CreateRuleGroup
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/CreateRuleGroup
Page 35: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDeleteFirewall

DeleteFirewallDeletes the specified Firewall (p. 117) and its FirewallStatus (p. 126). This operation requires thefirewall's DeleteProtection flag to be FALSE. You can't revert this operation.

You can check whether a firewall is in use by reviewing the route tables for the Availability Zones whereyou have firewall subnet mappings. Retrieve the subnet mappings by calling DescribeFirewall (p. 39).You define and update the route tables through Amazon VPC. As needed, update the route tables for thezones to remove the firewall endpoints. When the route tables no longer use the firewall endpoints, youcan remove the firewall safely.

To delete a firewall, remove the delete protection if you need to usingUpdateFirewallDeleteProtection (p. 80), then delete the firewall by calling DeleteFirewall (p. 27).

Request Syntax

{ "FirewallArn": "string", "FirewallName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 27)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: No

FirewallName (p. 27)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

API Version 2020-11-1227

Page 36: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Response Syntax{ "Firewall": { "DeleteProtection": boolean, "Description": "string", "FirewallArn": "string", "FirewallId": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "FirewallPolicyChangeProtection": boolean, "SubnetChangeProtection": boolean, "SubnetMappings": [ { "SubnetId": "string" } ], "Tags": [ { "Key": "string", "Value": "string" } ], "VpcId": "string" }, "FirewallStatus": { "ConfigurationSyncStateSummary": "string", "Status": "string", "SyncStates": { "string" : { "Attachment": { "EndpointId": "string", "Status": "string", "SubnetId": "string" }, "Config": { "string" : { "SyncStatus": "string", "UpdateToken": "string" } } } } }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Firewall (p. 28)

The firewall defines the configuration settings for an AWS Network Firewall firewall. These settingsinclude the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tagsthat are attached to the firewall AWS resource.

The status of the firewall, for example whether it's ready to filter network traffic, is providedin the corresponding FirewallStatus (p. 126). You can retrieve both objects by callingDescribeFirewall (p. 39).

API Version 2020-11-1228

Page 37: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Type: Firewall (p. 117) objectFirewallStatus (p. 28)

Detailed information about the current status of a Firewall (p. 117). You can retrieve this for afirewall by calling DescribeFirewall (p. 39) and providing the firewall name and ARN.

Type: FirewallStatus (p. 126) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400UnsupportedOperationException

The operation you requested isn't supported by Network Firewall.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET

API Version 2020-11-1229

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DeleteFirewall
Page 38: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1230

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DeleteFirewall
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DeleteFirewall
Page 39: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDeleteFirewallPolicy

DeleteFirewallPolicyDeletes the specified FirewallPolicy (p. 121).

Request Syntax{ "FirewallPolicyArn": "string", "FirewallPolicyName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallPolicyArn (p. 31)

The Amazon Resource Name (ARN) of the firewall policy.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallPolicyName (p. 31)

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

Response Syntax{ "FirewallPolicyResponse": { "Description": "string", "FirewallPolicyArn": "string", "FirewallPolicyId": "string", "FirewallPolicyName": "string", "FirewallPolicyStatus": "string", "Tags": [

API Version 2020-11-1231

Page 40: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

{ "Key": "string", "Value": "string" } ] }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallPolicyResponse (p. 31)

The object containing the definition of the FirewallPolicyResponse (p. 124) that you asked todelete.

Type: FirewallPolicyResponse (p. 124) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

API Version 2020-11-1232

Page 41: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

UnsupportedOperationException

The operation you requested isn't supported by Network Firewall.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1233

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DeleteFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DeleteFirewallPolicy
Page 42: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDeleteResourcePolicy

DeleteResourcePolicyDeletes a resource policy that you created in a PutResourcePolicy (p. 73) request.

Request Syntax{ "ResourceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

ResourceArn (p. 34)

The Amazon Resource Name (ARN) of the rule group or firewall policy whose resource policy youwant to delete.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400

API Version 2020-11-1234

Page 43: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1235

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DeleteResourcePolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DeleteResourcePolicy
Page 44: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDeleteRuleGroup

DeleteRuleGroupDeletes the specified RuleGroup (p. 142).

Request Syntax{ "RuleGroupArn": "string", "RuleGroupName": "string", "Type": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

RuleGroupArn (p. 36)

The Amazon Resource Name (ARN) of the rule group.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoRuleGroupName (p. 36)

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoType (p. 36)

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it containsstateless rules. If it is stateful, it contains stateful rules.

NoteThis setting is required for requests that do not include the RuleGroupARN.

Type: String

Valid Values: STATELESS | STATEFUL

API Version 2020-11-1236

Page 45: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Required: No

Response Syntax{ "RuleGroupResponse": { "Capacity": number, "Description": "string", "RuleGroupArn": "string", "RuleGroupId": "string", "RuleGroupName": "string", "RuleGroupStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "Type": "string" }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

RuleGroupResponse (p. 37)

The high-level properties of a rule group. This, along with the RuleGroup (p. 142), define the rulegroup. You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

Type: RuleGroupResponse (p. 144) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.

API Version 2020-11-1237

Page 46: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid inthe context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400UnsupportedOperationException

The operation you requested isn't supported by Network Firewall.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1238

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DeleteRuleGroup
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DeleteRuleGroup
Page 47: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDescribeFirewall

DescribeFirewallReturns the data objects for the specified firewall.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 39)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 39)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

Response Syntax{ "Firewall": { "DeleteProtection": boolean, "Description": "string", "FirewallArn": "string", "FirewallId": "string", "FirewallName": "string", "FirewallPolicyArn": "string", "FirewallPolicyChangeProtection": boolean, "SubnetChangeProtection": boolean,

API Version 2020-11-1239

Page 48: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

"SubnetMappings": [ { "SubnetId": "string" } ], "Tags": [ { "Key": "string", "Value": "string" } ], "VpcId": "string" }, "FirewallStatus": { "ConfigurationSyncStateSummary": "string", "Status": "string", "SyncStates": { "string" : { "Attachment": { "EndpointId": "string", "Status": "string", "SubnetId": "string" }, "Config": { "string" : { "SyncStatus": "string", "UpdateToken": "string" } } } } }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Firewall (p. 39)

The configuration settings for the firewall. These settings include the firewall policy and the subnetsin your VPC to use for the firewall endpoints.

Type: Firewall (p. 117) objectFirewallStatus (p. 39)

Detailed information about the current status of a Firewall (p. 117). You can retrieve this for afirewall by calling DescribeFirewall (p. 39) and providing the firewall name and ARN.

Type: FirewallStatus (p. 126) objectUpdateToken (p. 39)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

API Version 2020-11-1240

Page 49: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3

API Version 2020-11-1241

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DescribeFirewall
Page 50: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1242

https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DescribeFirewall
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DescribeFirewall
Page 51: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDescribeFirewallPolicy

DescribeFirewallPolicyReturns the data objects for the specified firewall policy.

Request Syntax{ "FirewallPolicyArn": "string", "FirewallPolicyName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallPolicyArn (p. 43)

The Amazon Resource Name (ARN) of the firewall policy.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallPolicyName (p. 43)

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

Response Syntax{ "FirewallPolicy": { "StatefulRuleGroupReferences": [ { "ResourceArn": "string" } ], "StatelessCustomActions": [

API Version 2020-11-1243

Page 52: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

{ "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessDefaultActions": [ "string" ], "StatelessFragmentDefaultActions": [ "string" ], "StatelessRuleGroupReferences": [ { "Priority": number, "ResourceArn": "string" } ] }, "FirewallPolicyResponse": { "Description": "string", "FirewallPolicyArn": "string", "FirewallPolicyId": "string", "FirewallPolicyName": "string", "FirewallPolicyStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallPolicy (p. 43)

The policy for the specified firewall policy.

Type: FirewallPolicy (p. 121) objectFirewallPolicyResponse (p. 43)

The high-level properties of a firewall policy. This, along with the FirewallPolicy (p. 121), define thepolicy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy (p. 43).

Type: FirewallPolicyResponse (p. 124) objectUpdateToken (p. 43)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe firewall policy. The token marks the state of the policy resource at the time of the request.

To make changes to the policy, you provide the token in your request. Network Firewall uses thetoken to ensure that the policy hasn't changed since you last retrieved it. If it has changed, the

API Version 2020-11-1244

Page 53: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

operation fails with an InvalidTokenException. If this happens, retrieve the firewall policyagain to get a current copy of it with current token. Reapply your changes as needed, then try theoperation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1245

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DescribeFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DescribeFirewallPolicy
Page 54: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

API Version 2020-11-1246

Page 55: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDescribeLoggingConfiguration

DescribeLoggingConfigurationReturns the logging configuration for the specified firewall.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 47)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 47)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

Response Syntax{ "FirewallArn": "string", "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogDestination": { "string" : "string" }, "LogDestinationType": "string",

API Version 2020-11-1247

Page 56: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

"LogType": "string" } ] }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 47)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*LoggingConfiguration (p. 47)

Defines how AWS Network Firewall performs logging for a Firewall (p. 117).

Type: LoggingConfiguration (p. 133) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

API Version 2020-11-1248

Page 57: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1249

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DescribeLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DescribeLoggingConfiguration
Page 58: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDescribeResourcePolicy

DescribeResourcePolicyRetrieves a resource policy that you created in a PutResourcePolicy (p. 73) request.

Request Syntax{ "ResourceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

ResourceArn (p. 50)

The Amazon Resource Name (ARN) of the rule group or firewall policy whose resource policy youwant to retrieve.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: Yes

Response Syntax{ "Policy": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Policy (p. 50)

The AWS Identity and Access Management policy for the resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 395000.

Pattern: .*\S.*

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

API Version 2020-11-1250

Page 59: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1251

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DescribeResourcePolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DescribeResourcePolicy
Page 60: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDescribeRuleGroup

DescribeRuleGroupReturns the data objects for the specified rule group.

Request Syntax

{ "RuleGroupArn": "string", "RuleGroupName": "string", "Type": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

RuleGroupArn (p. 52)

The Amazon Resource Name (ARN) of the rule group.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: No

RuleGroupName (p. 52)

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

Type (p. 52)

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it containsstateless rules. If it is stateful, it contains stateful rules.

NoteThis setting is required for requests that do not include the RuleGroupARN.

Type: String

API Version 2020-11-1252

Page 61: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Valid Values: STATELESS | STATEFUL

Required: No

Response Syntax{ "RuleGroup": { "RulesSource": { "RulesSourceList": { "GeneratedRulesType": "string", "Targets": [ "string" ], "TargetTypes": [ "string" ] }, "RulesString": "string", "StatefulRules": [ { "Action": "string", "Header": { "Destination": "string", "DestinationPort": "string", "Direction": "string", "Protocol": "string", "Source": "string", "SourcePort": "string" }, "RuleOptions": [ { "Keyword": "string", "Settings": [ "string" ] } ] } ], "StatelessRulesAndCustomActions": { "CustomActions": [ { "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessRules": [ { "Priority": number, "RuleDefinition": { "Actions": [ "string" ], "MatchAttributes": { "DestinationPorts": [ { "FromPort": number, "ToPort": number } ], "Destinations": [ {

API Version 2020-11-1253

Page 62: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

"AddressDefinition": "string" } ], "Protocols": [ number ], "SourcePorts": [ { "FromPort": number, "ToPort": number } ], "Sources": [ { "AddressDefinition": "string" } ], "TCPFlags": [ { "Flags": [ "string" ], "Masks": [ "string" ] } ] } } } ] } }, "RuleVariables": { "IPSets": { "string" : { "Definition": [ "string" ] } }, "PortSets": { "string" : { "Definition": [ "string" ] } } } }, "RuleGroupResponse": { "Capacity": number, "Description": "string", "RuleGroupArn": "string", "RuleGroupId": "string", "RuleGroupName": "string", "RuleGroupStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "Type": "string" }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

API Version 2020-11-1254

Page 63: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

RuleGroup (p. 53)

The object that defines the rules in a rule group. This, along with RuleGroupResponse (p. 144),define the rule group. You can retrieve all objects for a rule group by callingDescribeRuleGroup (p. 52).

AWS Network Firewall uses a rule group to inspect and control network traffic. You define statelessrule groups to inspect individual packets and you define stateful rule groups to inspect packets inthe context of their traffic flow.

To use a rule group, you include it by reference in an Network Firewall firewall policy, then you usethe policy in a firewall. You can reference a rule group from more than one firewall policy, and youcan use a firewall policy in more than one firewall.

Type: RuleGroup (p. 142) objectRuleGroupResponse (p. 53)

The high-level properties of a rule group. This, along with the RuleGroup (p. 142), define the rulegroup. You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

Type: RuleGroupResponse (p. 144) objectUpdateToken (p. 53)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe rule group. The token marks the state of the rule group resource at the time of the request.

To make changes to the rule group, you provide the token in your request. Network Firewall uses thetoken to ensure that the rule group hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the rule group again toget a current copy of it with a current token. Reapply your changes as needed, then try the operationagain using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400

API Version 2020-11-1255

Page 64: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1256

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DescribeRuleGroup
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DescribeRuleGroup
Page 65: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDisassociateSubnets

DisassociateSubnetsRemoves the specified subnet associations from the firewall. This removes the firewall endpoints fromthe subnets and removes any network filtering protections that the endpoints were providing.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetIds": [ "string" ], "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 57)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 57)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoSubnetIds (p. 57)

The unique identifiers for the subnets that you want to disassociate.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^subnet-[0-9a-f]+$

Required: Yes

API Version 2020-11-1257

Page 66: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

UpdateToken (p. 57)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetMappings": [ { "SubnetId": "string" } ], "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 58)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 58)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

API Version 2020-11-1258

Page 67: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Pattern: ^[a-zA-Z0-9-]+$SubnetMappings (p. 58)

The IDs of the subnets that are associated with the firewall.

Type: Array of SubnetMapping (p. 156) objectsUpdateToken (p. 58)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidOperationException

The operation failed because it's not valid. For example, you might have tried to delete a rule groupor firewall policy that's in use.

HTTP Status Code: 400InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

API Version 2020-11-1259

Page 68: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1260

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/DisassociateSubnets
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/DisassociateSubnets
Page 69: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceListFirewallPolicies

ListFirewallPoliciesRetrieves the metadata for the firewall policies that you have defined. Depending on your setting formax results and the number of firewall policies, a single call might not return the full list.

Request Syntax{ "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

MaxResults (p. 61)

The maximum number of objects that you want Network Firewall to return for this request. If moreobjects are available, in the response, Network Firewall provides a NextToken value that you canuse in a subsequent call to get the next batch of objects.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 61)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

Required: No

Response Syntax{ "FirewallPolicies": [ { "Arn": "string", "Name": "string" } ], "NextToken": "string"

API Version 2020-11-1261

Page 70: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallPolicies (p. 61)

The metadata for the firewall policies. Depending on your setting for max results and the number offirewall policies that you have, this might not be the full list.

Type: Array of FirewallPolicyMetadata (p. 123) objectsNextToken (p. 61)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

API Version 2020-11-1262

Page 71: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1263

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/ListFirewallPolicies
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/ListFirewallPolicies
Page 72: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceListFirewalls

ListFirewallsRetrieves the metadata for the firewalls that you have defined. If you provide VPC identifiers in yourrequest, this returns only the firewalls for those VPCs.

Depending on your setting for max results and the number of firewalls, a single call might not return thefull list.

Request Syntax{ "MaxResults": number, "NextToken": "string", "VpcIds": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

MaxResults (p. 64)

The maximum number of objects that you want Network Firewall to return for this request. If moreobjects are available, in the response, Network Firewall provides a NextToken value that you canuse in a subsequent call to get the next batch of objects.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 64)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

Required: NoVpcIds (p. 64)

The unique identifiers of the VPCs that you want Network Firewall to retrieve the firewalls for. Leavethis blank to retrieve all firewalls that you have defined.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

API Version 2020-11-1264

Page 73: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Pattern: ^vpc-[0-9a-f]+$

Required: No

Response Syntax{ "Firewalls": [ { "FirewallArn": "string", "FirewallName": "string" } ], "NextToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Firewalls (p. 65)

The firewall metadata objects for the VPCs that you specified. Depending on your setting for maxresults and the number of firewalls you have, a single call might not be the full list.

Type: Array of FirewallMetadata (p. 120) objectsNextToken (p. 65)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.

API Version 2020-11-1265

Page 74: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1266

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/ListFirewalls
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/ListFirewalls
Page 75: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceListRuleGroups

ListRuleGroupsRetrieves the metadata for the rule groups that you have defined. Depending on your setting for maxresults and the number of rule groups, a single call might not return the full list.

Request Syntax{ "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

MaxResults (p. 67)

The maximum number of objects that you want Network Firewall to return for this request. If moreobjects are available, in the response, Network Firewall provides a NextToken value that you canuse in a subsequent call to get the next batch of objects.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoNextToken (p. 67)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

Required: No

Response Syntax{ "NextToken": "string", "RuleGroups": [ { "Arn": "string", "Name": "string" } ]

API Version 2020-11-1267

Page 76: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 67)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$RuleGroups (p. 67)

The rule group metadata objects that you've defined. Depending on your setting for max results andthe number of rule groups, this might not be the full list.

Type: Array of RuleGroupMetadata (p. 143) objects

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

API Version 2020-11-1268

Page 77: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1269

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/ListRuleGroups
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/ListRuleGroups
Page 78: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceListTagsForResource

ListTagsForResourceRetrieves the tags associated with the specified resource. Tags are key:value pairs that you can use tocategorize and manage your resources, for purposes like billing. For example, you might set the tag keyto "customer" and the value to the customer name or ID. You can specify one or more tags to add to eachAWS resource, up to 50 tags for a resource.

You can tag the AWS resources that you manage through AWS Network Firewall: firewalls, firewallpolicies, and rule groups.

Request Syntax{ "MaxResults": number, "NextToken": "string", "ResourceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

MaxResults (p. 70)

The maximum number of objects that you want Network Firewall to return for this request. If moreobjects are available, in the response, Network Firewall provides a NextToken value that you canuse in a subsequent call to get the next batch of objects.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 100.

Required: NoNextToken (p. 70)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$

Required: NoResourceArn (p. 70)

The Amazon Resource Name (ARN) of the resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

API Version 2020-11-1270

Page 79: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Pattern: ^arn:aws.*

Required: Yes

Response Syntax{ "NextToken": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 71)

When you request a list of objects with a MaxResults setting, if the number of objects that are stillavailable for retrieval exceeds the maximum you requested, Network Firewall returns a NextTokenvalue in the response. To retrieve the next batch of objects, use the token returned from the priorrequest in your next request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: [0-9A-Za-z:\/+=]+$Tags (p. 71)

The tags that are associated with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400

API Version 2020-11-1271

Page 80: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1272

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/ListTagsForResource
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/ListTagsForResource
Page 81: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferencePutResourcePolicy

PutResourcePolicyCreates or updates an AWS Identity and Access Management policy for your rule group or firewall policy.Use this to share rule groups and firewall policies between accounts. This operation works in conjunctionwith the AWS Resource Access Manager (RAM) service to manage resource sharing for Network Firewall.

Use this operation to create or update a resource policy for your rule group or firewall policy. In thepolicy, you specify the accounts that you want to share the resource with and the operations that youwant the accounts to be able to perform.

When you add an account in the resource policy, you then run the following Resource Access Manager(RAM) operations to access and accept the shared rule group or firewall policy.

• GetResourceShareInvitations - Returns the Amazon Resource Names (ARNs) of the resource shareinvitations.

• AcceptResourceShareInvitation - Accepts the share invitation for a specified resource share.

For additional information about resource sharing using RAM, see AWS Resource Access Manager UserGuide.

Request Syntax{ "Policy": "string", "ResourceArn": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

Policy (p. 73)

The AWS Identity and Access Management policy statement that lists the accounts that you wantto share your rule group or firewall policy with and the operations that you want the accounts to beable to perform.

For a rule group resource, you can specify the following operations in the Actions section of thestatement:

• network-firewall:CreateFirewallPolicy

• network-firewall:UpdateFirewallPolicy

• network-firewall:ListRuleGroups

For a firewall policy resource, you can specify the following operations in the Actions section of thestatement:

• network-firewall:CreateFirewall

• network-firewall:UpdateFirewall

• network-firewall:AssociateFirewallPolicy

• network-firewall:ListFirewallPolicies

API Version 2020-11-1273

https://docs.aws.amazon.com/ram/latest/APIReference/API_GetResourceShareInvitations.html
https://docs.aws.amazon.com/ram/latest/APIReference/API_AcceptResourceShareInvitation.html
https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
Page 82: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

In the Resource section of the statement, you specify the ARNs for the rule groups and firewallpolicies that you want to share with the account that you specified in Arn.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 395000.

Pattern: .*\S.*

Required: Yes

ResourceArn (p. 73)

The Amazon Resource Name (ARN) of the account that you want to share rule groups and firewallpolicies with.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500

InvalidRequestException

The operation failed because of a problem with your request. Examples include:

• You specified an unsupported parameter name or value.

• You tried to update a property with a value that isn't among the available types.

• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid inthe context of the request.

HTTP Status Code: 400

InvalidResourcePolicyException

HTTP Status Code: 400

ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400

API Version 2020-11-1274

Page 83: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1275

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/PutResourcePolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/PutResourcePolicy
Page 84: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceTagResource

TagResourceAdds the specified tags to the specified resource. Tags are key:value pairs that you can use to categorizeand manage your resources, for purposes like billing. For example, you might set the tag key to"customer" and the value to the customer name or ID. You can specify one or more tags to add to eachAWS resource, up to 50 tags for a resource.

You can tag the AWS resources that you manage through AWS Network Firewall: firewalls, firewallpolicies, and rule groups.

Request Syntax{ "ResourceArn": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

ResourceArn (p. 76)

The Amazon Resource Name (ARN) of the resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesTags (p. 76)

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

API Version 2020-11-1276

Page 85: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1277

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/TagResource
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/TagResource
Page 86: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUntagResource

UntagResourceRemoves the tags with the specified keys from the specified resource. Tags are key:value pairs that youcan use to categorize and manage your resources, for purposes like billing. For example, you might setthe tag key to "customer" and the value to the customer name or ID. You can specify one or more tags toadd to each AWS resource, up to 50 tags for a resource.

You can manage tags for the AWS resources that you manage through AWS Network Firewall: firewalls,firewall policies, and rule groups.

Request Syntax{ "ResourceArn": "string", "TagKeys": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

ResourceArn (p. 78)

The Amazon Resource Name (ARN) of the resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesTagKeys (p. 78)

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^.*$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

API Version 2020-11-1278

Page 87: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1279

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UntagResource
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UntagResource
Page 88: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateFirewallDeleteProtection

UpdateFirewallDeleteProtectionModifies the flag, DeleteProtection, which indicates whether it is possible to delete the firewall.If the flag is set to TRUE, the firewall is protected against deletion. This setting helps protect againstaccidentally deleting a firewall that's in use.

Request Syntax{ "DeleteProtection": boolean, "FirewallArn": "string", "FirewallName": "string", "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

DeleteProtection (p. 80)

A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that thefirewall is protected against deletion. Use this setting to protect against accidentally deleting afirewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.

Type: Boolean

Required: YesFirewallArn (p. 80)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 80)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

API Version 2020-11-1280

Page 89: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

UpdateToken (p. 80)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "DeleteProtection": boolean, "FirewallArn": "string", "FirewallName": "string", "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

DeleteProtection (p. 81)

Type: BooleanFirewallArn (p. 81)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 81)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

API Version 2020-11-1281

Page 90: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$UpdateToken (p. 81)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ResourceOwnerCheckException

API Version 2020-11-1282

Page 91: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1283

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateFirewallDeleteProtection
Page 92: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateFirewallDescription

UpdateFirewallDescriptionModifies the description for the specified firewall. Use the description to help you identify the firewallwhen you're working with it.

Request Syntax{ "Description": "string", "FirewallArn": "string", "FirewallName": "string", "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

Description (p. 84)

The new description for the firewall. If you omit this setting, Network Firewall removes thedescription for the firewall.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoFirewallArn (p. 84)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 84)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

API Version 2020-11-1284

Page 93: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Required: NoUpdateToken (p. 84)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "Description": "string", "FirewallArn": "string", "FirewallName": "string", "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Description (p. 85)

A description of the firewall.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$FirewallArn (p. 85)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

API Version 2020-11-1285

Page 94: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

FirewallName (p. 85)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$UpdateToken (p. 85)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

API Version 2020-11-1286

Page 95: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1287

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateFirewallDescription
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateFirewallDescription
Page 96: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateFirewallPolicy

UpdateFirewallPolicyUpdates the properties of the specified firewall policy.

Request Syntax{ "Description": "string", "DryRun": boolean, "FirewallPolicy": { "StatefulRuleGroupReferences": [ { "ResourceArn": "string" } ], "StatelessCustomActions": [ { "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessDefaultActions": [ "string" ], "StatelessFragmentDefaultActions": [ "string" ], "StatelessRuleGroupReferences": [ { "Priority": number, "ResourceArn": "string" } ] }, "FirewallPolicyArn": "string", "FirewallPolicyName": "string", "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

Description (p. 88)

A description of the firewall policy.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

API Version 2020-11-1288

Page 97: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

Required: NoDryRun (p. 88)

Indicates whether you want Network Firewall to just check the validity of the request, rather thanrun the request.

If set to TRUE, Network Firewall checks whether the request can run successfully, but doesn'tactually make the requested changes. The call returns the value that the request would return ifyou ran it with dry run set to FALSE, but doesn't make additions or changes to your resources. Thisoption allows you to make sure that you have the required permissions to run the request and thatyour request parameters are valid.

If set to FALSE, Network Firewall makes the requested changes to your resources.

Type: Boolean

Required: NoFirewallPolicy (p. 88)

The updated firewall policy to use for the firewall.

Type: FirewallPolicy (p. 121) object

Required: YesFirewallPolicyArn (p. 88)

The Amazon Resource Name (ARN) of the firewall policy.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallPolicyName (p. 88)

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoUpdateToken (p. 88)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe firewall policy. The token marks the state of the policy resource at the time of the request.

To make changes to the policy, you provide the token in your request. Network Firewall uses thetoken to ensure that the policy hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the firewall policy

API Version 2020-11-1289

Page 98: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

again to get a current copy of it with current token. Reapply your changes as needed, then try theoperation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: Yes

Response Syntax{ "FirewallPolicyResponse": { "Description": "string", "FirewallPolicyArn": "string", "FirewallPolicyId": "string", "FirewallPolicyName": "string", "FirewallPolicyStatus": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallPolicyResponse (p. 90)

The high-level properties of a firewall policy. This, along with the FirewallPolicy (p. 121), define thepolicy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy (p. 43).

Type: FirewallPolicyResponse (p. 124) objectUpdateToken (p. 90)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe firewall policy. The token marks the state of the policy resource at the time of the request.

To make changes to the policy, you provide the token in your request. Network Firewall uses thetoken to ensure that the policy hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the firewall policyagain to get a current copy of it with current token. Reapply your changes as needed, then try theoperation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

API Version 2020-11-1290

Page 99: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1291

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateFirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateFirewallPolicy
Page 100: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateFirewallPolicyChangeProtection

UpdateFirewallPolicyChangeProtection

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "FirewallPolicyChangeProtection": boolean, "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 92)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 92)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoFirewallPolicyChangeProtection (p. 92)

A setting indicating whether the firewall is protected against a change to the firewall policyassociation. Use this setting to protect against accidentally modifying the firewall policy for afirewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: YesUpdateToken (p. 92)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

API Version 2020-11-1292

Page 101: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "FirewallPolicyChangeProtection": boolean, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 93)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 93)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$FirewallPolicyChangeProtection (p. 93)

A setting indicating whether the firewall is protected against a change to the firewall policyassociation. Use this setting to protect against accidentally modifying the firewall policy for afirewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

API Version 2020-11-1293

Page 102: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

UpdateToken (p. 93)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ResourceOwnerCheckException

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

API Version 2020-11-1294

Page 103: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1295

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateFirewallPolicyChangeProtection
Page 104: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateLoggingConfiguration

UpdateLoggingConfigurationSets the logging configuration for the specified firewall.

To change the logging configuration, retrieve the LoggingConfiguration (p. 133) by callingDescribeLoggingConfiguration (p. 47), then change it and provide the modified object to this updatecall. You must change the logging configuration one LogDestinationConfig (p. 131) at a time inside theretrieved LoggingConfiguration (p. 133) object.

You can perform only one of the following actions in any call to UpdateLoggingConfiguration:

• Create a new log destination object by adding a single LogDestinationConfig array element toLogDestinationConfigs.

• Delete a log destination object by removing a single LogDestinationConfig array element fromLogDestinationConfigs.

• Change the LogDestination setting in a single LogDestinationConfig array element.

You can't change the LogDestinationType or LogType in a LogDestinationConfig. To changethese settings, delete the existing LogDestinationConfig object and create a new one, using twoseparate calls to this update operation.

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogDestination": { "string" : "string" }, "LogDestinationType": "string", "LogType": "string" } ] }}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 96)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

API Version 2020-11-1296

Page 105: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Required: NoFirewallName (p. 96)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoLoggingConfiguration (p. 96)

Defines how Network Firewall performs logging for a firewall. If you omit this setting, NetworkFirewall disables logging for the firewall.

Type: LoggingConfiguration (p. 133) object

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "LoggingConfiguration": { "LogDestinationConfigs": [ { "LogDestination": { "string" : "string" }, "LogDestinationType": "string", "LogType": "string" } ] }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 97)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 97)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

API Version 2020-11-1297

Page 106: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$LoggingConfiguration (p. 97)

Defines how AWS Network Firewall performs logging for a Firewall (p. 117).

Type: LoggingConfiguration (p. 133) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400LogDestinationPermissionException

Unable to send logs to a configured logging destination.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

API Version 2020-11-1298

Page 107: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-1299

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateLoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateLoggingConfiguration
Page 108: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateRuleGroup

UpdateRuleGroupUpdates the rule settings for the specified rule group. You use a rule group by reference in one or morefirewall policies. When you modify a rule group, you modify all firewall policies that use the rule group.

To update a rule group, first call DescribeRuleGroup (p. 52) to retrieve the current RuleGroup (p. 142)object, update the object as needed, and then provide the updated object to this call.

Request Syntax{ "Description": "string", "DryRun": boolean, "RuleGroup": { "RulesSource": { "RulesSourceList": { "GeneratedRulesType": "string", "Targets": [ "string" ], "TargetTypes": [ "string" ] }, "RulesString": "string", "StatefulRules": [ { "Action": "string", "Header": { "Destination": "string", "DestinationPort": "string", "Direction": "string", "Protocol": "string", "Source": "string", "SourcePort": "string" }, "RuleOptions": [ { "Keyword": "string", "Settings": [ "string" ] } ] } ], "StatelessRulesAndCustomActions": { "CustomActions": [ { "ActionDefinition": { "PublishMetricAction": { "Dimensions": [ { "Value": "string" } ] } }, "ActionName": "string" } ], "StatelessRules": [ { "Priority": number, "RuleDefinition": { "Actions": [ "string" ], "MatchAttributes": { "DestinationPorts": [

API Version 2020-11-12100

Page 109: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

{ "FromPort": number, "ToPort": number } ], "Destinations": [ { "AddressDefinition": "string" } ], "Protocols": [ number ], "SourcePorts": [ { "FromPort": number, "ToPort": number } ], "Sources": [ { "AddressDefinition": "string" } ], "TCPFlags": [ { "Flags": [ "string" ], "Masks": [ "string" ] } ] } } } ] } }, "RuleVariables": { "IPSets": { "string" : { "Definition": [ "string" ] } }, "PortSets": { "string" : { "Definition": [ "string" ] } } } }, "RuleGroupArn": "string", "RuleGroupName": "string", "Rules": "string", "Type": "string", "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

Description (p. 100)

A description of the rule group.

API Version 2020-11-12101

Page 110: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRequest Parameters

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoDryRun (p. 100)

Indicates whether you want Network Firewall to just check the validity of the request, rather thanrun the request.

If set to TRUE, Network Firewall checks whether the request can run successfully, but doesn'tactually make the requested changes. The call returns the value that the request would return ifyou ran it with dry run set to FALSE, but doesn't make additions or changes to your resources. Thisoption allows you to make sure that you have the required permissions to run the request and thatyour request parameters are valid.

If set to FALSE, Network Firewall makes the requested changes to your resources.

Type: Boolean

Required: NoRuleGroup (p. 100)

An object that defines the rule group rules.

NoteYou must provide either this rule group setting or a Rules setting, but not both.

Type: RuleGroup (p. 142) object

Required: NoRuleGroupArn (p. 100)

The Amazon Resource Name (ARN) of the rule group.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoRuleGroupName (p. 100)

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

API Version 2020-11-12102

Page 111: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

Rules (p. 100)

A string containing stateful rule group rules specifications in Suricata flat format, with one rule perline. Use this to import your existing Suricata compatible rule groups.

NoteYou must provide either this rules setting or a populated RuleGroup setting, but not both.

You can provide your rule group specification in Suricata flat format through this setting whenyou create or update your rule group. The call response returns a RuleGroup (p. 142) object thatNetwork Firewall has populated from your string.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 1000000.

Required: NoType (p. 100)

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it containsstateless rules. If it is stateful, it contains stateful rules.

NoteThis setting is required for requests that do not include the RuleGroupARN.

Type: String

Valid Values: STATELESS | STATEFUL

Required: NoUpdateToken (p. 100)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe rule group. The token marks the state of the rule group resource at the time of the request.

To make changes to the rule group, you provide the token in your request. Network Firewall uses thetoken to ensure that the rule group hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the rule group again toget a current copy of it with a current token. Reapply your changes as needed, then try the operationagain using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: Yes

Response Syntax{ "RuleGroupResponse": { "Capacity": number, "Description": "string", "RuleGroupArn": "string", "RuleGroupId": "string", "RuleGroupName": "string", "RuleGroupStatus": "string",

API Version 2020-11-12103

Page 112: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Elements

"Tags": [ { "Key": "string", "Value": "string" } ], "Type": "string" }, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

RuleGroupResponse (p. 103)

The high-level properties of a rule group. This, along with the RuleGroup (p. 142), define the rulegroup. You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

Type: RuleGroupResponse (p. 144) objectUpdateToken (p. 103)

A token used for optimistic locking. Network Firewall returns a token to your requests that accessthe rule group. The token marks the state of the rule group resource at the time of the request.

To make changes to the rule group, you provide the token in your request. Network Firewall uses thetoken to ensure that the rule group hasn't changed since you last retrieved it. If it has changed, theoperation fails with an InvalidTokenException. If this happens, retrieve the rule group again toget a current copy of it with a current token. Reapply your changes as needed, then try the operationagain using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

API Version 2020-11-12104

Page 113: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-12105

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateRuleGroup
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateRuleGroup
Page 114: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceUpdateSubnetChangeProtection

UpdateSubnetChangeProtection

Request Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetChangeProtection": boolean, "UpdateToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 160).

The request accepts the following data in JSON format.

FirewallArn (p. 106)

The Amazon Resource Name (ARN) of the firewall.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName (p. 106)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

You must specify the ARN or the name, and you can specify both.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoSubnetChangeProtection (p. 106)

A setting indicating whether the firewall is protected against changes to the subnet associations. Usethis setting to protect against accidentally modifying the subnet associations for a firewall that is inuse. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: YesUpdateToken (p. 106)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

API Version 2020-11-12106

Page 115: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceResponse Syntax

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

Response Syntax{ "FirewallArn": "string", "FirewallName": "string", "SubnetChangeProtection": boolean, "UpdateToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

FirewallArn (p. 107)

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*FirewallName (p. 107)

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$SubnetChangeProtection (p. 107)

A setting indicating whether the firewall is protected against changes to the subnet associations. Usethis setting to protect against accidentally modifying the subnet associations for a firewall that is inuse. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

API Version 2020-11-12107

Page 116: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceErrors

UpdateToken (p. 107)

An optional token that you can use for optimistic locking. Network Firewall returns a token to yourrequests that access the firewall. The token marks the state of the firewall resource at the time ofthe request.

To make an unconditional change to the firewall, omit the token in your update request. Without thetoken, Network Firewall performs your updates regardless of whether the firewall has changed sinceyou last retrieved it.

To make a conditional change to the firewall, provide the token in your update request. NetworkFirewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If ithas changed, the operation fails with an InvalidTokenException. If this happens, retrieve thefirewall again to get a current copy of it with a new token. Reapply your changes as needed, then trythe operation again using the new token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 162).

InternalServerError

Your request is valid, but Network Firewall couldn’t perform the operation because of a systemproblem. Retry your request.

HTTP Status Code: 500InvalidRequestException

The operation failed because of a problem with your request. Examples include:• You specified an unsupported parameter name or value.• You tried to update a property with a value that isn't among the available types.• Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in

the context of the request.

HTTP Status Code: 400InvalidTokenException

The token you provided is stale or isn't valid for the operation.

HTTP Status Code: 400ResourceNotFoundException

Unable to locate a resource using the parameters that you provided.

HTTP Status Code: 400ResourceOwnerCheckException

HTTP Status Code: 400ThrottlingException

Unable to process the request due to throttling limitations.

API Version 2020-11-12108

Page 117: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

HTTP Status Code: 400

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

API Version 2020-11-12109

https://docs.aws.amazon.com/goto/aws-cli/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/DotNetSDKV3/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/SdkForPHPV3/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/boto3/network-firewall-2020-11-12/UpdateSubnetChangeProtection
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/UpdateSubnetChangeProtection
Page 118: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Data TypesThe AWS Network Firewall API contains several data types that various actions use. This section describeseach data type in detail.

NoteThe order of each element in a data type structure is not guaranteed. Applications should notassume a particular order.

The following data types are supported:

• ActionDefinition (p. 112)• Address (p. 113)• Attachment (p. 114)• CustomAction (p. 115)• Dimension (p. 116)• Firewall (p. 117)• FirewallMetadata (p. 120)• FirewallPolicy (p. 121)• FirewallPolicyMetadata (p. 123)• FirewallPolicyResponse (p. 124)• FirewallStatus (p. 126)• Header (p. 128)• IPSet (p. 130)• LogDestinationConfig (p. 131)• LoggingConfiguration (p. 133)• MatchAttributes (p. 134)• PerObjectStatus (p. 136)• PortRange (p. 137)• PortSet (p. 138)• PublishMetricAction (p. 139)• RuleDefinition (p. 140)• RuleGroup (p. 142)• RuleGroupMetadata (p. 143)• RuleGroupResponse (p. 144)• RuleOption (p. 146)• RulesSource (p. 147)• RulesSourceList (p. 148)• RuleVariables (p. 150)• StatefulRule (p. 151)• StatefulRuleGroupReference (p. 152)• StatelessRule (p. 153)• StatelessRuleGroupReference (p. 154)• StatelessRulesAndCustomActions (p. 155)• SubnetMapping (p. 156)• SyncState (p. 157)

API Version 2020-11-12110

Page 119: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

• Tag (p. 158)• TCPFlagField (p. 159)

API Version 2020-11-12111

Page 120: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceActionDefinition

ActionDefinitionA custom action to use in stateless rule actions settings. This is used in CustomAction (p. 115).

ContentsPublishMetricAction

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for thematching packet. This setting defines a CloudWatch dimension value to be published.

You can pair this custom action with any of the standard stateless rule actions. For example, youcould pair this in a rule action with the standard action that forwards the packet for statefulinspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packetand forwards it.

Type: PublishMetricAction (p. 139) object

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12112

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/ActionDefinition
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/ActionDefinition
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/ActionDefinition
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/ActionDefinition
Page 121: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceAddress

AddressA single IP address specification. This is used in the MatchAttributes (p. 134) source and destinationspecifications.

ContentsAddressDefinition

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.Network Firewall supports all address ranges for IPv4.

Examples:• To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.• To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify192.0.2.0/24.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 255.

Pattern: ^([a-fA-F\d:\.]+/\d{1,3})$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12113

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Address
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Address
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Address
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Address
Page 122: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceAttachment

AttachmentThe configuration and status for a single subnet that you've specified for use by the AWS NetworkFirewall firewall. This is part of the FirewallStatus (p. 126).

ContentsEndpointId

The identifier of the firewall endpoint that Network Firewall has instantiated in the subnet. Youuse this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC trafficthrough the endpoint.

Type: String

Required: NoStatus

The current status of the firewall endpoint in the subnet. This value reflects both the instantiation ofthe endpoint in the VPC subnet and the sync states that are reported in the Config settings. Whenthis value is READY, the endpoint is available and configured properly to handle network traffic.When the endpoint isn't available for traffic, this value will reflect its state, for example CREATING,DELETING, or FAILED.

Type: String

Valid Values: CREATING | DELETING | SCALING | READY

Required: NoSubnetId

The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^subnet-[0-9a-f]+$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12114

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Attachment
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Attachment
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Attachment
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Attachment
Page 123: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceCustomAction

CustomActionAn optional, non-standard action to use for stateless packet handling. You can define this in addition tothe standard action that you must specify.

You define and name the custom actions that you want to be able to use, and then you reference themby name in your actions settings.

You can use custom actions in the following places:

• In a rule group's StatelessRulesAndCustomActions (p. 155) specification. The custom actions areavailable for use by name inside the StatelessRulesAndCustomActions where you define them.You can use them for your stateless rule actions to specify what to do with a packet that matches therule's match attributes.

• In a FirewallPolicy (p. 121) specification, in StatelessCustomActions. The custom actions areavailable for use inside the policy where you define them. You can use them for the policy's defaultstateless actions settings to specify what to do with packets that don't match any of the policy'sstateless rules.

ContentsActionDefinition

The custom action associated with the action name.

Type: ActionDefinition (p. 112) object

Required: YesActionName

The descriptive name of the custom action. You can't change the name of a custom action after youcreate it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9]+$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12115

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/CustomAction
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/CustomAction
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/CustomAction
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/CustomAction
Page 124: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceDimension

DimensionThe value to use in an Amazon CloudWatch custom metric dimension. This is used in thePublishMetrics CustomAction (p. 115). A CloudWatch custom metric dimension is a name/value pairthat's part of the identity of a metric.

AWS Network Firewall sets the dimension name to CustomAction and you provide the dimension value.

For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics inthe Amazon CloudWatch User Guide.

ContentsValue

The value to use in the custom metric dimension.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-_ ]+$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12116

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html#usingDimensions
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Dimension
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Dimension
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Dimension
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Dimension
Page 125: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewall

FirewallThe firewall defines the configuration settings for an AWS Network Firewall firewall. These settingsinclude the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags thatare attached to the firewall AWS resource.

The status of the firewall, for example whether it's ready to filter network traffic, is provided in thecorresponding FirewallStatus (p. 126). You can retrieve both objects by calling DescribeFirewall (p. 39).

ContentsDeleteProtection

A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that thefirewall is protected against deletion. Use this setting to protect against accidentally deleting afirewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.

Type: Boolean

Required: NoDescription

A description of the firewall.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoFirewallArn

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallId

The unique identifier for the firewall.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: YesFirewallName

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

API Version 2020-11-12117

Page 126: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceContents

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: NoFirewallPolicyArn

The Amazon Resource Name (ARN) of the firewall policy.

The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policyassociation, and you can use the same firewall policy for multiple firewalls.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesFirewallPolicyChangeProtection

A setting indicating whether the firewall is protected against a change to the firewall policyassociation. Use this setting to protect against accidentally modifying the firewall policy for afirewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: NoSubnetChangeProtection

A setting indicating whether the firewall is protected against changes to the subnet associations. Usethis setting to protect against accidentally modifying the subnet associations for a firewall that is inuse. When you create a firewall, the operation initializes this setting to TRUE.

Type: Boolean

Required: NoSubnetMappings

The public subnets that Network Firewall is using for the firewall. Each subnet must belong to adifferent Availability Zone.

Type: Array of SubnetMapping (p. 156) objects

Required: YesTags

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: NoVpcId

The unique identifier of the VPC where the firewall is in use.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

API Version 2020-11-12118

Page 127: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

Pattern: ^vpc-[0-9a-f]+$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12119

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Firewall
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Firewall
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Firewall
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Firewall
Page 128: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewallMetadata

FirewallMetadataHigh-level information about a firewall, returned by operations like create and describe. You can use theinformation provided in the metadata to retrieve and manage a firewall.

ContentsFirewallArn

The Amazon Resource Name (ARN) of the firewall.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoFirewallName

The descriptive name of the firewall. You can't change the name of a firewall after you create it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12120

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/FirewallMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/FirewallMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/FirewallMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/FirewallMetadata
Page 129: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewallPolicy

FirewallPolicyThe firewall policy defines the behavior of a firewall using a collection of stateless and stateful rulegroups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse (p. 124), define the policy. You can retrieve all objects for afirewall policy by calling DescribeFirewallPolicy (p. 43).

ContentsStatefulRuleGroupReferences

References to the stateful rule groups that are used in the policy. These define the inspection criteriain stateful rules.

Type: Array of StatefulRuleGroupReference (p. 152) objects

Required: NoStatelessCustomActions

The custom action definitions that are available for use in the firewall policy'sStatelessDefaultActions setting. You name each custom action that you define, and then youcan use it by name in your default actions specifications.

Type: Array of CustomAction (p. 115) objects

Required: NoStatelessDefaultActions

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you wantnon-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. Inaddition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass",“customActionName”]. For information about compatibility, see the custom action descriptionsunder CustomAction (p. 115).

Type: Array of strings

Required: YesStatelessFragmentDefaultActions

The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in thepolicy. Network Firewall only manages UDP packet fragments and silently drops packet fragmentsfor other protocols. If you want non-matching fragmented UDP packets to be forwarded for statefulinspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. Inaddition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass",“customActionName”]. For information about compatibility, see the custom action descriptionsunder CustomAction (p. 115).

Type: Array of strings

API Version 2020-11-12121

Page 130: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

Required: YesStatelessRuleGroupReferences

References to the stateless rule groups that are used in the policy. These define the matching criteriain stateless rules.

Type: Array of StatelessRuleGroupReference (p. 154) objects

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12122

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/FirewallPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/FirewallPolicy
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/FirewallPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/FirewallPolicy
Page 131: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewallPolicyMetadata

FirewallPolicyMetadataHigh-level information about a firewall policy, returned by operations like create and describe. You canuse the information provided in the metadata to retrieve and manage a firewall policy. You can retrieveall objects for a firewall policy by calling DescribeFirewallPolicy (p. 43).

ContentsArn

The Amazon Resource Name (ARN) of the firewall policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoName

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12123

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/FirewallPolicyMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/FirewallPolicyMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/FirewallPolicyMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/FirewallPolicyMetadata
Page 132: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewallPolicyResponse

FirewallPolicyResponseThe high-level properties of a firewall policy. This, along with the FirewallPolicy (p. 121), define thepolicy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy (p. 43).

ContentsDescription

A description of the firewall policy.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoFirewallPolicyArn

The Amazon Resource Name (ARN) of the firewall policy.

NoteIf this response is for a create request that had DryRun set to TRUE, then this ARN is aplaceholder that isn't attached to a valid resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesFirewallPolicyId

The unique identifier for the firewall policy.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: YesFirewallPolicyName

The descriptive name of the firewall policy. You can't change the name of a firewall policy after youcreate it.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: YesFirewallPolicyStatus

The current status of the firewall policy. You can retrieve this for a firewall policy by callingDescribeFirewallPolicy (p. 43) and providing the firewall policy's name or ARN.

API Version 2020-11-12124

Page 133: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

Type: String

Valid Values: ACTIVE | DELETING

Required: NoTags

The key:value pairs to associate with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12125

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/FirewallPolicyResponse
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/FirewallPolicyResponse
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/FirewallPolicyResponse
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/FirewallPolicyResponse
Page 134: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceFirewallStatus

FirewallStatusDetailed information about the current status of a Firewall (p. 117). You can retrieve this for a firewall bycalling DescribeFirewall (p. 39) and providing the firewall name and ARN.

ContentsConfigurationSyncStateSummary

The configuration sync state for the firewall. This summarizes the sync states reported in theConfig settings for all of the Availability Zones where you have configured the firewall.

When you create a firewall or update its configuration, for example by adding a rule group to itsfirewall policy, Network Firewall distributes the configuration changes to all zones where the firewallis in use. This summary indicates whether the configuration changes have been applied everywhere.

This status must be IN_SYNC for the firewall to be ready for use, but it doesn't indicate that thefirewall is ready. The Status setting indicates firewall readiness.

Type: String

Valid Values: PENDING | IN_SYNC

Required: YesStatus

The readiness of the configured firewall to handle network traffic across all of theAvailability Zones where you've configured it. This setting is READY only when theConfigurationSyncStateSummary value is IN_SYNC and the Attachment Status values for allof the configured subnets are READY.

Type: String

Valid Values: PROVISIONING | DELETING | READY

Required: YesSyncStates

The subnets that you've configured for use by the Network Firewall firewall. This contains one arrayelement per Availability Zone where you've configured a subnet. These objects provide details of theinformation that is summarized in the ConfigurationSyncStateSummary and Status, brokendown by zone and configuration object.

Type: String to SyncState (p. 157) object map

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12126

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/FirewallStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/FirewallStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/FirewallStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/FirewallStatus
Page 135: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

API Version 2020-11-12127

Page 136: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceHeader

HeaderThe basic rule criteria for AWS Network Firewall to use to inspect packet headers in stateful traffic flowinspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule (p. 151).

ContentsDestination

The destination IP address or address range to inspect for, in CIDR notation. To match with anyaddress, specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.Network Firewall supports all address ranges for IPv4.

Examples:• To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.• To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify192.0.2.0/24.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^.*$

Required: YesDestinationPort

The destination port to inspect for. You can specify an individual port, for example 1994 and you canspecify a port range, for example 1990-1994. To match with any port, specify ANY.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^.*$

Required: YesDirection

The direction of traffic flow to inspect. If set to ANY, the inspection matches bidirectional traffic,both from the source to the destination and from the destination to the source. If set to FORWARD,the inspection only matches traffic going from the source to the destination.

Type: String

Valid Values: FORWARD | ANY

Required: YesProtocol

The protocol to inspect for. To specify all, you can use IP, because all traffic on AWS and on theinternet is IP.

Type: String

API Version 2020-11-12128

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
Page 137: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

Valid Values: IP | TCP | UDP | ICMP | HTTP | FTP | TLS | SMB | DNS | DCERPC |SSH | SMTP | IMAP | MSN | KRB5 | IKEV2 | TFTP | NTP | DHCP

Required: YesSource

The source IP address or address range to inspect for, in CIDR notation. To match with any address,specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation.Network Firewall supports all address ranges for IPv4.

Examples:• To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.• To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify192.0.2.0/24.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^.*$

Required: YesSourcePort

The source port to inspect for. You can specify an individual port, for example 1994 and you canspecify a port range, for example 1990-1994. To match with any port, specify ANY.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^.*$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12129

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Header
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Header
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Header
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Header
Page 138: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceIPSet

IPSetA list of IP addresses and address ranges, in CIDR notation. This is part of a RuleVariables (p. 150).

ContentsDefinition

The list of IP addresses and address ranges, in CIDR notation.

Type: Array of strings

Length Constraints: Minimum length of 1.

Pattern: ^.*$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12130

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/IPSet
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/IPSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/IPSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/IPSet
Page 139: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceLogDestinationConfig

LogDestinationConfigDefines where AWS Network Firewall sends logs for the firewall for one log type. This is used inLoggingConfiguration (p. 133). You can send each type of log to an Amazon S3 bucket, a CloudWatchlog group, or a Kinesis Data Firehose delivery stream.

Network Firewall generates logs for stateful rule groups. You can save alert and flow log types. Thestateful rules engine records flow logs for all network traffic that it receives. It records alert logs fortraffic that matches stateful rules that have the rule action set to DROP or ALERT.

ContentsLogDestination

The named location for the logs, provided in a key:value mapping that is specific to the chosendestination type.• For an Amazon S3 bucket, provide the name of the bucket, with key bucketName, and optionally

provide a prefix, with key prefix. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKET and the prefix alerts:

"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix":"alerts" }

• For a CloudWatch log group, provide the name of the CloudWatch log group, with key logGroup.The following example specifies a log group named alert-log-group:

"LogDestination": { "logGroup": "alert-log-group" }

• For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with keydeliveryStream. The following example specifies a delivery stream named alert-delivery-stream:

"LogDestination": { "deliveryStream": "alert-delivery-stream" }

Type: String to string map

Key Length Constraints: Minimum length of 3. Maximum length of 50.

Key Pattern: ^[0-9A-Za-z.\-_@\/]+$

Value Length Constraints: Minimum length of 1. Maximum length of 1024.

Value Pattern: [\s\S]*$

Required: YesLogDestinationType

The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket, aCloudWatch log group, or a Kinesis Data Firehose delivery stream.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 30.

Pattern: [0-9A-Za-z]+

Valid Values: S3 | CloudWatchLogs | KinesisDataFirehose

Required: Yes

API Version 2020-11-12131

Page 140: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

LogType

The type of log to send. Alert logs report traffic that matches a StatefulRule (p. 151) with an actionsetting that sends an alert log message. Flow logs are standard network traffic flow logs.

Type: String

Valid Values: ALERT | FLOW

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12132

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/LogDestinationConfig
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/LogDestinationConfig
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/LogDestinationConfig
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/LogDestinationConfig
Page 141: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceLoggingConfiguration

LoggingConfigurationDefines how AWS Network Firewall performs logging for a Firewall (p. 117).

ContentsLogDestinationConfigs

Defines the logging destinations for the logs for a firewall. Network Firewall generates logs forstateful rule groups.

Type: Array of LogDestinationConfig (p. 131) objects

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12133

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/LoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/LoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/LoggingConfiguration
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/LoggingConfiguration
Page 142: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceMatchAttributes

MatchAttributesCriteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Eachmatch attributes set can include one or more items such as IP address, CIDR range, port number,protocol, and TCP flags.

ContentsDestinationPorts

The destination ports to inspect for. If not specified, this matches with any destination port. Thissetting is only used for protocols 6 (TCP) and 17 (UDP).

You can specify individual ports, for example 1994 and you can specify port ranges, for example1990-1994.

Type: Array of PortRange (p. 137) objects

Required: No

Destinations

The destination IP addresses and address ranges to inspect for, in CIDR notation. If not specified, thismatches with any destination address.

Type: Array of Address (p. 113) objects

Required: No

Protocols

The protocols to inspect for, specified using each protocol's assigned internet protocol number(IANA). If not specified, this matches with any protocol.

Type: Array of integers

Valid Range: Minimum value of 0. Maximum value of 255.

Required: No

SourcePorts

The source ports to inspect for. If not specified, this matches with any source port. This setting isonly used for protocols 6 (TCP) and 17 (UDP).

You can specify individual ports, for example 1994 and you can specify port ranges, for example1990-1994.

Type: Array of PortRange (p. 137) objects

Required: No

Sources

The source IP addresses and address ranges to inspect for, in CIDR notation. If not specified, thismatches with any source address.

Type: Array of Address (p. 113) objects

Required: No

API Version 2020-11-12134

Page 143: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

TCPFlags

The TCP flags and masks to inspect for. If not specified, this matches with any settings. This settingis only used for protocol 6 (TCP).

Type: Array of TCPFlagField (p. 159) objects

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12135

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/MatchAttributes
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/MatchAttributes
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/MatchAttributes
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/MatchAttributes
Page 144: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferencePerObjectStatus

PerObjectStatusProvides configuration status for a single policy or rule group that is used for a firewall endpoint.Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Eachtime you add a subnet or modify the associated firewall policy, Network Firewall synchronizes therules in the endpoint, so it can properly filter network traffic. This is part of a SyncState (p. 157) for afirewall.

ContentsSyncStatus

Indicates whether this object is in sync with the version indicated in the update token.

Type: String

Valid Values: PENDING | IN_SYNC

Required: NoUpdateToken

The current version of the object that is either in sync or pending synchronization.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12136

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/PerObjectStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/PerObjectStatus
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/PerObjectStatus
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/PerObjectStatus
Page 145: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferencePortRange

PortRangeA single port range specification. This is used for source and destination port ranges in the stateless ruleMatchAttributes (p. 134), SourcePorts, and DestinationPorts settings.

ContentsFromPort

The lower limit of the port range. This must be less than or equal to the ToPort specification.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 65535.

Required: YesToPort

The upper limit of the port range. This must be greater than or equal to the FromPort specification.

Type: Integer

Valid Range: Minimum value of 0. Maximum value of 65535.

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12137

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/PortRange
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/PortRange
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/PortRange
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/PortRange
Page 146: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferencePortSet

PortSetA set of port ranges for use in the rules in a rule group.

ContentsDefinition

The set of port ranges.

Type: Array of strings

Length Constraints: Minimum length of 1.

Pattern: ^.*$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12138

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/PortSet
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/PortSet
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/PortSet
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/PortSet
Page 147: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferencePublishMetricAction

PublishMetricActionStateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matchingpacket. This setting defines a CloudWatch dimension value to be published.

ContentsDimensions

Type: Array of Dimension (p. 116) objects

Array Members: Fixed number of 1 item.

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12139

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/PublishMetricAction
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/PublishMetricAction
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/PublishMetricAction
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/PublishMetricAction
Page 148: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleDefinition

RuleDefinitionThe inspection criteria and action for a single stateless rule. AWS Network Firewall inspects each packetfor the specified matching criteria. When a packet matches the criteria, Network Firewall performs therule's actions on the packet.

ContentsActions

The actions to take on a packet that matches one of the stateless rule definition's match attributes.You must specify a standard action and you can add custom actions.

NoteNetwork Firewall only forwards a packet for stateful rule inspection if you specifyaws:forward_to_sfe for a rule that the packet matches, or if the packetdoesn't match any stateless rule and you specify aws:forward_to_sfe for theStatelessDefaultActions setting for the FirewallPolicy (p. 121).

For every rule, you must specify exactly one of the following standard actions.• aws:pass - Discontinues all inspection of the packet and permits it to go to its intended

destination.• aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended

destination.• aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the

stateful rule engine for inspection.

Additionally, you can specify a custom action. To do this, you define a custom action by name andtype, then provide the name you've assigned to the action in this Actions setting. For informationabout the options, see CustomAction (p. 115).

To provide more than one action in this setting, separate the settings with a comma. For example,if you have a custom PublishMetrics action that you've named MyMetricsAction, thenyou could specify the standard action aws:pass and the custom action with [“aws:pass”,“MyMetricsAction”].

Type: Array of strings

Required: YesMatchAttributes

Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Eachmatch attributes set can include one or more items such as IP address, CIDR range, port number,protocol, and TCP flags.

Type: MatchAttributes (p. 134) object

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go

API Version 2020-11-12140

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleDefinition
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleDefinition
Page 149: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12141

https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleDefinition
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleDefinition
Page 150: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleGroup

RuleGroupThe object that defines the rules in a rule group. This, along with RuleGroupResponse (p. 144), definethe rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

AWS Network Firewall uses a rule group to inspect and control network traffic. You define stateless rulegroups to inspect individual packets and you define stateful rule groups to inspect packets in the contextof their traffic flow.

To use a rule group, you include it by reference in an Network Firewall firewall policy, then you use thepolicy in a firewall. You can reference a rule group from more than one firewall policy, and you can use afirewall policy in more than one firewall.

ContentsRulesSource

The stateful rules or stateless rules for the rule group.

Type: RulesSource (p. 147) object

Required: YesRuleVariables

Settings that are available for use in the rules in the rule group. You can only use these for statefulrule groups.

Type: RuleVariables (p. 150) object

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12142

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleGroup
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleGroup
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleGroup
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleGroup
Page 151: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleGroupMetadata

RuleGroupMetadataHigh-level information about a rule group, returned by ListRuleGroups (p. 67). You can use theinformation provided in the metadata to retrieve and manage a rule group.

ContentsArn

The Amazon Resource Name (ARN) of the rule group.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: NoName

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12143

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleGroupMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleGroupMetadata
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleGroupMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleGroupMetadata
Page 152: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleGroupResponse

RuleGroupResponseThe high-level properties of a rule group. This, along with the RuleGroup (p. 142), define the rule group.You can retrieve all objects for a rule group by calling DescribeRuleGroup (p. 52).

ContentsCapacity

The maximum operating resources that this rule group can use. Rule group capacity is fixed atcreation. When you update a rule group, you are limited to this capacity. When you reference a rulegroup from a firewall policy, Network Firewall reserves this capacity for the rule group.

You can retrieve the capacity that would be required for a rule group before you create the rulegroup by calling CreateRuleGroup (p. 21) with DryRun set to TRUE.

Type: Integer

Required: NoDescription

A description of the rule group.

Type: String

Length Constraints: Maximum length of 512.

Pattern: ^.*$

Required: NoRuleGroupArn

The Amazon Resource Name (ARN) of the rule group.

NoteIf this response is for a create request that had DryRun set to TRUE, then this ARN is aplaceholder that isn't attached to a valid resource.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: YesRuleGroupId

The unique identifier for the rule group.

Type: String

Length Constraints: Fixed length of 36.

Pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Required: YesRuleGroupName

The descriptive name of the rule group. You can't change the name of a rule group after you createit.

API Version 2020-11-12144

Page 153: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^[a-zA-Z0-9-]+$

Required: YesRuleGroupStatus

Detailed information about the current status of a rule group.

Type: String

Valid Values: ACTIVE | DELETING

Required: NoTags

The key:value pairs to associate with the resource.

Type: Array of Tag (p. 158) objects

Array Members: Minimum number of 1 item. Maximum number of 200 items.

Required: NoType

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it containsstateless rules. If it is stateful, it contains stateful rules.

Type: String

Valid Values: STATELESS | STATEFUL

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12145

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleGroupResponse
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleGroupResponse
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleGroupResponse
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleGroupResponse
Page 154: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleOption

RuleOptionAdditional settings for a stateful rule. This is part of the StatefulRule (p. 151) configuration.

ContentsKeyword

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: .*

Required: YesSettings

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 8192.

Pattern: .*

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12146

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleOption
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleOption
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleOption
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleOption
Page 155: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRulesSource

RulesSourceThe stateless or stateful rules definitions for use in a single rule group. Each rule group requires a singleRulesSource. You can use an instance of this for either stateless rules or stateful rules.

ContentsRulesSourceList

Stateful inspection criteria for a domain list rule group.

Type: RulesSourceList (p. 148) object

Required: NoRulesString

Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules.Suricata is an open-source network IPS that includes a standard rule-based language for networktraffic inspection.

These rules contain the inspection criteria and the action to take for traffic that matches the criteria,so this type of rule group doesn't have a separate action setting.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 1000000.

Required: NoStatefulRules

An array of individual stateful rules inspection criteria to be used together in a stateful rule group.Use this option to specify simple Suricata rules with protocol, source and destination, ports,direction, and rule options. For information about the Suricata Rules format, see Rules Format.

Type: Array of StatefulRule (p. 151) objects

Required: NoStatelessRulesAndCustomActions

Stateless inspection criteria to be used in a stateless rule group.

Type: StatelessRulesAndCustomActions (p. 155) object

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12147

https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RulesSource
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RulesSource
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RulesSource
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RulesSource
Page 156: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRulesSourceList

RulesSourceListStateful inspection criteria for a domain list rule group.

For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLShandshake.

By default, Network Firewall domain list inspection only includes traffic coming from the VPC whereyou deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set theHOME_NET rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges.For more information, see RuleVariables (p. 150) in this guide and Stateful domain list rule groups inAWS Network Firewall in the Network Firewall Developer Guide

ContentsGeneratedRulesType

Whether you want to allow or deny access to the domains in your target list.

Type: String

Valid Values: ALLOWLIST | DENYLIST

Required: YesTargets

The domains that you want to inspect for in your traffic flows. To provide multiple domains, separatethem with commas. Valid domain specifications are the following:• Explicit names. For example, abc.example.com matches only the domain abc.example.com.• Names that use a domain wildcard, which you indicate with an initial '.'. For

example,.example.com matches example.com and matches all subdomains of example.com,such as abc.example.com and www.example.com.

Type: Array of strings

Required: YesTargetTypes

The protocols you want to inspect. Specify TLS_SNI for HTTPS. Specify HTTP_HOST for HTTP. Youcan specify either or both.

Type: Array of strings

Valid Values: TLS_SNI | HTTP_HOST

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12148

https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html
https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RulesSourceList
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RulesSourceList
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RulesSourceList
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RulesSourceList
Page 157: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSee Also

API Version 2020-11-12149

Page 158: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceRuleVariables

RuleVariablesSettings that are available for use in the rules in the RuleGroup (p. 142) where this is defined.

ContentsIPSets

A list of IP addresses and address ranges, in CIDR notation.

Type: String to IPSet (p. 130) object map

Key Length Constraints: Minimum length of 1. Maximum length of 32.

Key Pattern: ^[A-Za-z][A-Za-z0-9_]*$

Required: NoPortSets

A list of port ranges.

Type: String to PortSet (p. 138) object map

Key Length Constraints: Minimum length of 1. Maximum length of 32.

Key Pattern: ^[A-Za-z][A-Za-z0-9_]*$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12150

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/RuleVariables
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/RuleVariables
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/RuleVariables
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/RuleVariables
Page 159: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceStatefulRule

StatefulRuleA single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simpleSuricata rule with protocol, source and destination, ports, direction, and rule options. For informationabout the Suricata Rules format, see Rules Format.

ContentsAction

Defines what Network Firewall should do with the packets in a traffic flow when the flow matchesthe stateful rule criteria. For all actions, Network Firewall performs the specified action anddiscontinues stateful inspection of the traffic flow.

The actions for a stateful rule are defined as follows:• PASS - Permits the packets to go to the intended destination.• DROP - Blocks the packets from going to the intended destination and sends an alert log

message, if alert logging is configured in the Firewall (p. 117) LoggingConfiguration (p. 133).• ALERT - Permits the packets to go to the intended destination and sends an alert log message, if

alert logging is configured in the Firewall (p. 117) LoggingConfiguration (p. 133).

You can use this action to test a rule that you intend to use to drop traffic. You can enable the rulewith ALERT action, verify in the logs that the rule is filtering as you want, then change the actionto DROP.

Type: String

Valid Values: PASS | DROP | ALERT

Required: YesHeader

The stateful inspection criteria for this rule, used to inspect traffic flows.

Type: Header (p. 128) object

Required: YesRuleOptions

Additional options for the rule. These are the Suricata RuleOptions settings.

Type: Array of RuleOption (p. 146) objects

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12151

https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#
https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/StatefulRule
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/StatefulRule
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/StatefulRule
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/StatefulRule
Page 160: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceStatefulRuleGroupReference

StatefulRuleGroupReferenceIdentifier for a single stateful rule group, used in a firewall policy to refer to a rule group.

ContentsResourceArn

The Amazon Resource Name (ARN) of the stateful rule group.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12152

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/StatefulRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/StatefulRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/StatefulRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/StatefulRuleGroupReference
Page 161: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceStatelessRule

StatelessRuleA single stateless rule. This is used in StatelessRulesAndCustomActions (p. 155).

ContentsPriority

A setting that indicates the order in which to run this rule relative to all of the rules that are definedfor a stateless rule group. Network Firewall evaluates the rules in a rule group starting with thelowest priority setting. You must ensure that the priority settings are unique for the rule group.

Each stateless rule group uses exactly one StatelessRulesAndCustomActions object, and eachStatelessRulesAndCustomActions contains exactly one StatelessRules object. To ensureunique priority settings for your rule groups, set unique priorities for the stateless rules that youdefine inside any single StatelessRules object.

You can change the priority settings of your rules at any time. To make it easier to insert rules later,number them so there's a wide range in between, for example use 100, 200, and so on.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 65535.

Required: YesRuleDefinition

Defines the stateless 5-tuple packet inspection criteria and the action to take on a packet thatmatches the criteria.

Type: RuleDefinition (p. 140) object

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12153

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/StatelessRule
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/StatelessRule
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/StatelessRule
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/StatelessRule
Page 162: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceStatelessRuleGroupReference

StatelessRuleGroupReferenceIdentifier for a single stateless rule group, used in a firewall policy to refer to the rule group.

ContentsPriority

An integer setting that indicates the order in which to run the stateless rule groups in a singleFirewallPolicy (p. 121). Network Firewall applies each stateless rule group to a packet starting withthe group that has the lowest priority setting. You must ensure that the priority settings are uniquewithin each policy.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 65535.

Required: YesResourceArn

The Amazon Resource Name (ARN) of the stateless rule group.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12154

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/StatelessRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/StatelessRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/StatelessRuleGroupReference
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/StatelessRuleGroupReference
Page 163: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceStatelessRulesAndCustomActions

StatelessRulesAndCustomActionsStateless inspection criteria. Each stateless rule group uses exactly one of these data types to define itsstateless rules.

ContentsCustomActions

Defines an array of individual custom action definitions that are available for use by the statelessrules in this StatelessRulesAndCustomActions specification. You name each custom action thatyou define, and then you can use it by name in your StatelessRule (p. 153) RuleDefinition (p. 140)Actions specification.

Type: Array of CustomAction (p. 115) objects

Required: NoStatelessRules

Defines the set of stateless rules for use in a stateless rule group.

Type: Array of StatelessRule (p. 153) objects

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12155

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/StatelessRulesAndCustomActions
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/StatelessRulesAndCustomActions
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/StatelessRulesAndCustomActions
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/StatelessRulesAndCustomActions
Page 164: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSubnetMapping

SubnetMappingThe ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall (p. 12)and AssociateSubnets (p. 8). AWS Network Firewall creates an instance of the associated firewall in eachsubnet that you specify, to filter traffic in the subnet's Availability Zone.

ContentsSubnetId

The unique identifier for the subnet.

Type: String

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12156

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/SubnetMapping
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/SubnetMapping
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/SubnetMapping
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/SubnetMapping
Page 165: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceSyncState

SyncStateThe status of the firewall endpoint and firewall policy configuration for a single VPC subnet.

For each VPC subnet that you associate with a firewall, AWS Network Firewall does the following:

• Instantiates a firewall endpoint in the subnet, ready to take traffic.• Configures the endpoint with the current firewall policy settings, to provide the filtering behavior for

the endpoint.

When you update a firewall, for example to add a subnet association or change a rule group in thefirewall policy, the affected sync states reflect out-of-sync or not ready status until the changes arecomplete.

ContentsAttachment

The attachment status of the firewall's association with a single VPC subnet. For each configuredsubnet, Network Firewall creates the attachment by instantiating the firewall endpoint in the subnetso that it's ready to take traffic. This is part of the FirewallStatus (p. 126).

Type: Attachment (p. 114) object

Required: NoConfig

The configuration status of the firewall endpoint in a single VPC subnet. Network Firewall provideseach endpoint with the rules that are configured in the firewall policy. Each time you add a subnet ormodify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so itcan properly filter network traffic. This is part of the FirewallStatus (p. 126).

Type: String to PerObjectStatus (p. 136) object map

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Key Pattern: ^[a-zA-Z0-9-]+$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12157

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/SyncState
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/SyncState
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/SyncState
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/SyncState
Page 166: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceTag

TagA key:value pair associated with an AWS resource. The key:value pair can be anything you define.Typically, the tag key represents a category (such as "environment") and the tag value represents aspecific value within that category (such as "test," "development," or "production"). You can add up to 50tags to each AWS resource.

ContentsKey

The part of the key:value pair that defines a tag. You can use a tag key to describe a category ofinformation, such as "customer." Tag keys are case-sensitive.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: ^.*$

Required: YesValue

The part of the key:value pair that defines a tag. You can use a tag value to describe a specific valuewithin a category, such as "companyA" or "companyB." Tag values are case-sensitive.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Pattern: ^.*$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12158

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/Tag
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/Tag
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/Tag
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/Tag
Page 167: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API ReferenceTCPFlagField

TCPFlagFieldTCP flags and masks to inspect packets for, used in stateless rules MatchAttributes (p. 134) settings.

ContentsFlags

Used in conjunction with the Masks setting to define the flags that must be set and flags thatmust not be set in order for the packet to match. This setting can only specify values that are alsospecified in the Masks setting.

For the flags that are specified in the masks setting, the following must be true for the packet tomatch:• The ones that are set in this flags setting must be set in the packet.• The ones that are not set in this flags setting must also not be set in the packet.

Type: Array of strings

Valid Values: FIN | SYN | RST | PSH | ACK | URG | ECE | CWR

Required: YesMasks

The set of flags to consider in the inspection. To inspect all flags in the valid values list, leave thiswith no setting.

Type: Array of strings

Valid Values: FIN | SYN | RST | PSH | ACK | URG | ECE | CWR

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java V2• AWS SDK for Ruby V3

API Version 2020-11-12159

https://docs.aws.amazon.com/goto/SdkForCpp/network-firewall-2020-11-12/TCPFlagField
https://docs.aws.amazon.com/goto/SdkForGoV1/network-firewall-2020-11-12/TCPFlagField
https://docs.aws.amazon.com/goto/SdkForJavaV2/network-firewall-2020-11-12/TCPFlagField
https://docs.aws.amazon.com/goto/SdkForRubyV3/network-firewall-2020-11-12/TCPFlagField
Page 168: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Common ParametersThe following list contains the parameters that all actions use for signing Signature Version 4 requestswith a query string. Any action-specific parameters are listed in the topic for that action. For moreinformation about Signature Version 4, see Signature Version 4 Signing Process in the Amazon WebServices General Reference.

Action

The action to be performed.

Type: string

Required: YesVersion

The API version that the request is written for, expressed in the format YYYY-MM-DD.

Type: string

Required: YesX-Amz-Algorithm

The hash algorithm that you used to create the request signature.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Valid Values: AWS4-HMAC-SHA256

Required: ConditionalX-Amz-Credential

The credential scope value, which is a string that includes your access key, the date, the region youare targeting, the service you are requesting, and a termination string ("aws4_request"). The value isexpressed in the following format: access_key/YYYYMMDD/region/service/aws4_request.

For more information, see Task 2: Create a String to Sign for Signature Version 4 in the Amazon WebServices General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-Date

The date that is used to create the signature. The format must be ISO 8601 basic format(YYYYMMDD'T'HHMMSS'Z'). For example, the following date time is a valid X-Amz-Date value:20120325T120000Z.

Condition: X-Amz-Date is optional for all requests; it can be used to override the date used forsigning requests. If the Date header is specified in the ISO 8601 basic format, X-Amz-Date is

API Version 2020-11-12160

http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
Page 169: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

not required. When X-Amz-Date is used, it always overrides the value of the Date header. Formore information, see Handling Dates in Signature Version 4 in the Amazon Web Services GeneralReference.

Type: string

Required: ConditionalX-Amz-Security-Token

The temporary security token that was obtained through a call to AWS Security Token Service (AWSSTS). For a list of services that support temporary security credentials from AWS Security TokenService, go to AWS Services That Work with IAM in the IAM User Guide.

Condition: If you're using temporary security credentials from the AWS Security Token Service, youmust include the security token.

Type: string

Required: ConditionalX-Amz-Signature

Specifies the hex-encoded signature that was calculated from the string to sign and the derivedsigning key.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-SignedHeaders

Specifies all the HTTP headers that were included as part of the canonical request. For moreinformation about specifying signed headers, see Task 1: Create a Canonical Request For SignatureVersion 4 in the Amazon Web Services General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: Conditional

API Version 2020-11-12161

http://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Page 170: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

Common ErrorsThis section lists the errors common to the API actions of all AWS services. For errors specific to an APIaction for this service, see the topic for that API action.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400IncompleteSignature

The request signature does not conform to AWS standards.

HTTP Status Code: 400InternalFailure

The request processing has failed because of an unknown error, exception or failure.

HTTP Status Code: 500InvalidAction

The action or operation requested is invalid. Verify that the action is typed correctly.

HTTP Status Code: 400InvalidClientTokenId

The X.509 certificate or AWS access key ID provided does not exist in our records.

HTTP Status Code: 403InvalidParameterCombination

Parameters that must not be used together were used together.

HTTP Status Code: 400InvalidParameterValue

An invalid or out-of-range value was supplied for the input parameter.

HTTP Status Code: 400InvalidQueryParameter

The AWS query string is malformed or does not adhere to AWS standards.

HTTP Status Code: 400MalformedQueryString

The query string contains a syntax error.

HTTP Status Code: 404MissingAction

The request is missing an action or a required parameter.

HTTP Status Code: 400

API Version 2020-11-12162

Page 171: AWS Network Firewall · 2021. 1. 13. · token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it. To make a conditional

AWS Network Firewall API Reference

MissingAuthenticationToken

The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

HTTP Status Code: 403MissingParameter

A required parameter for the specified action is not supplied.

HTTP Status Code: 400NotAuthorized

You do not have permission to perform this action.

HTTP Status Code: 400OptInRequired

The AWS access key ID needs a subscription for the service.

HTTP Status Code: 403RequestExpired

The request reached the service more than 15 minutes after the date stamp on the request or morethan 15 minutes after the request expiration date (such as for pre-signed URLs), or the date stampon the request is more than 15 minutes in the future.

HTTP Status Code: 400ServiceUnavailable

The request has failed due to a temporary failure of the server.

HTTP Status Code: 503ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400ValidationError

The input fails to satisfy the constraints specified by an AWS service.

HTTP Status Code: 400

API Version 2020-11-12163


62 Pure Firewall Network Rules En

AWS Network Firewall

Windows Firewall Exceptions - Docusnap€¦ · Windows Firewall Exceptions ... Editing a group policy object Windows Firewall Exceptions ... Network Connections Windows Firewall

Comodo Advanced Network Firewall Engine

Lecture Notes Secured Network with Firewall

Network Firewall Security Auditing Firewalls. Module 1: Understanding Firewalls Firewall Architecture Overview

Improve your Network security with Firewall

BIG-IP Network Firewall: Policies and · What is the BIG-IP Network Firewall? The BIG-IP® Network Firewall provides policy-based access control to and from address and port pairs,

Network Security and Firewall - Theseus

Office suite and firewall - Netfilter · Office suite and firewall É. Leblond Stamus Networks 2016 June 27 É. Leblond (Stamus Networks) Office suite and firewall 2016 June 27

Cisco Firewall and Network Security

Network Firewall Function & Benefits

Let’s Encrypt Container - Amazon Web Services · 2019-07-30 · Let’s Encrypt Container Firewall Rules 16 The Let’s Encrypt Container requires the following firewall rules

IDC RSA Security Breakfast 2018 · Network Network Firewall/UTM Virtualized Firewall ... Firewall DNS Security Certificates Endpoint Consumer Modern Endpoint Physical Server Software

Network Security Firewall CLI Reference Guide

Network Firewall Security

Using Cisco Centri Firewall to Protect Your Network · Using Cisco Centri Firewall to Protect Your Network 6-1 6 Using Cisco Centri Firewall to Protect Your Network Introduction To

Management of stateful firewall misconfiguration

Firewall and Network Securit

Web application firewall - Netsparker

Computer Network Firewall

SISTEM KEAMANAN JARINGAN (FIREWALL) SYSTEM SECURITY NETWORK (Firewall)

Event-Driven Network Programming - arXiv · PDF fileFigure 1: Topology for simple Stateful Firewall. ure 1). Suppose we wish to implement a stateful firewall: at all times, host H1

Industry Firewall with VPN Router Industry Network Storageebook.nexcom.com/Catalog/2016_Industry_Firewall_with_VPN_Rout… · Industry Firewall with VPN Router Industry Network Storage

Cisco RV220W Network Security Firewall

Platform-Independent Firewall Policy ... - Crocodile · Vadim Zaliva, [email protected] December 2, 2007 Abstract In this paper we will discuss the design of abstract firewall model

Advanced Network Security – Firewall Implementation And

Firewall Configuration and Administrationmawelton.people.ysu.edu/CSIS3755/CSIS 3755 - Chapter 8.pdf · Firewall Configuration and Administration . ... Your Firewall Network Address

Firewall Management Essentials · 2019-03-04 · Performance impact: Each additional rule may require the firewall to perform another check on every packet that comes through, so

Dell SonicWALL SuperMassive Next-Generation Firewall Seriesi.dell.com/.../SuperMassive-Next-Generation-Firewall-Series.pdf · Next-Generation Firewall Series Network security

Guidelines on firewalls and firewall policy · PDF fileFirewalls and Network Architectures ... firewall into existing network and security infrastructures. Additionally, firewall solution

Scudo - Murus Firewall...Scudo combines both a network-layer and an application-layer firewall. Its purpose is to give all Mac user a compact, easy, reliable and affordable way to:-protect

Network Security Firewall CLI Reference Guide - dlink-jp.com · Network Security Solution NetDefendOS Ver. 11.04.01 Network Security Firewall CLI Reference Guide SecurSityec urity

firewall inside the core data network

Network Security and Firewall - theseus.fi