Interface INfwRuleGroupConfig

NetworkConfig / CentralNetworkServicesConfig / NfwConfig / NfwRuleGroupConfig

Network Firewall rule group configuration.

Description

Use this configuration to define stateful and stateless rule groups for Network Firewall. An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. You add one or more rule groups to a firewall policy as part of policy configuration.

See

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-rulegroup.html

Example

Stateful rule group:

- name: accelerator-stateful-group
  regions:
    - us-east-1
  capacity: 100
  type: STATEFUL
  ruleGroup:
    rulesSource:
      rulesFile: path/to/rules.txt
  shareTargets:
    organizationalUnits:
      - Root
  tags: []

Stateless rule group:

- name: accelerator-stateless-group
  regions:
    - us-east-1
  capacity: 100
  type: STATELESS
  ruleGroup:
    rulesSource:
      statelessRulesAndCustomActions:
        statelessRules:
          - priority: 100
            ruleDefinition:
              actions: ['aws:pass']
              matchAttributes:
                sources:
                  - 10.1.0.0/16
                sourcePorts:
                  - fromPort: 1024
                    toPort: 65535
                destinations:
                  - 10.0.0.0/16
                destinationPorts:
                  - fromPort: 22
                    toPort: 22
  shareTargets:
    organizationalUnits:
      - Root
  tags: []
interface INfwRuleGroupConfig {
    capacity: number;
    description?: string;
    name: string;
    regions: (
        | "af-south-1"
        | "ap-east-1"
        | "ap-northeast-1"
        | "ap-northeast-2"
        | "ap-northeast-3"
        | "ap-south-1"
        | "ap-south-2"
        | "ap-southeast-1"
        | "ap-southeast-2"
        | "ap-southeast-3"
        | "ap-southeast-4"
        | "ap-southeast-5"
        | "ca-central-1"
        | "ca-west-1"
        | "cn-north-1"
        | "cn-northwest-1"
        | "eu-central-1"
        | "eu-central-2"
        | "eu-north-1"
        | "eu-south-1"
        | "eu-south-2"
        | "eu-west-1"
        | "eu-west-2"
        | "eu-west-3"
        | "eu-isoe-west-1"
        | "il-central-1"
        | "me-central-1"
        | "me-south-1"
        | "mx-central-1"
        | "sa-east-1"
        | "us-east-1"
        | "us-east-2"
        | "us-gov-west-1"
        | "us-gov-east-1"
        | "us-iso-east-1"
        | "us-isob-east-1"
        | "us-iso-west-1"
        | "us-isof-south-1"
        | "us-isof-east-1"
        | "us-west-1"
        | "us-west-2")[];
    ruleGroup?: INfwRuleGroupRuleConfig;
    shareTargets?: IShareTargets;
    tags?: ITag[];
    type: NfwRuleType;
}

Properties

capacity description? name regions ruleGroup? shareTargets? tags? type

Properties

Readonlycapacity

capacity: number

The capacity of the rule group.

Optional Readonlydescription

description?: string

(OPTIONAL) A description for the rule group.

Readonlyname

name: string

A friendly name for the rule group.

Remarks

CAUTION: Changing this property value after initial deployment causes the rule group to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Readonlyregions

regions: (
    | "af-south-1"
    | "ap-east-1"
    | "ap-northeast-1"
    | "ap-northeast-2"
    | "ap-northeast-3"
    | "ap-south-1"
    | "ap-south-2"
    | "ap-southeast-1"
    | "ap-southeast-2"
    | "ap-southeast-3"
    | "ap-southeast-4"
    | "ap-southeast-5"
    | "ca-central-1"
    | "ca-west-1"
    | "cn-north-1"
    | "cn-northwest-1"
    | "eu-central-1"
    | "eu-central-2"
    | "eu-north-1"
    | "eu-south-1"
    | "eu-south-2"
    | "eu-west-1"
    | "eu-west-2"
    | "eu-west-3"
    | "eu-isoe-west-1"
    | "il-central-1"
    | "me-central-1"
    | "me-south-1"
    | "mx-central-1"
    | "sa-east-1"
    | "us-east-1"
    | "us-east-2"
    | "us-gov-west-1"
    | "us-gov-east-1"
    | "us-iso-east-1"
    | "us-isob-east-1"
    | "us-iso-west-1"
    | "us-isof-south-1"
    | "us-isof-east-1"
    | "us-west-1"
    | "us-west-2")[]

The regions to deploy the rule group to.

See

Region

Optional ReadonlyruleGroup

ruleGroup?: INfwRuleGroupRuleConfig

(OPTIONAL) A Network Firewall rule configuration.

See

NfwRuleGroupRuleConfig

Optional ReadonlyshareTargets

shareTargets?: IShareTargets

(OPTIONAL) Resource Access Manager (RAM) share targets.

Remarks

Targets can be account names and/or organizational units. Targets must be configured for account(s)/OU(s) that require access to the rule group. A target is not required for the delegated admin account.

See

ShareTargets

Optional Readonlytags

tags?: ITag[]

(OPTIONAL) An array of tags for the rule group.

Readonlytype

type: NfwRuleType

The type of rules in the rule group.

Settings

Member Visibility

On This Page

Properties