Question
How does AWS Network Firewall rule evaluation work?
Click to reveal answer
Answer
Stateless rules evaluate first (pass/drop/forward). Passed traffic goes to stateful engine. Stateful uses Suricata-compatible 5-tuple, domain, and IPS rules.
Click to flip back
All Network Security Flashcards
Q: How does AWS Network Firewall rule evaluation work?
A: Stateless rules evaluate first (pass/drop/forward). Passed traffic goes to stateful engine. Stateful uses Suricata-compatible 5-tuple, domain, and IPS rules.
Q: What is traffic mirroring?
A: Copies network traffic from ENIs to a target (NLB or ENI) for inspection. Configure filters to capture specific traffic. Does not affect source performance.
Q: What is the difference between Shield Standard and Advanced?
A: Standard: free, automatic L3/L4 DDoS protection. Advanced: $3K/month, L7 protection, DRT support, cost protection, advanced metrics, WAF included.
Q: What does a GWLB (Gateway Load Balancer) do?
A: Distributes traffic to virtual appliances (firewalls, IDS) using GENEVE encapsulation. Transparent to the application — sits in the routing path.
Q: What is VPC Flow Logs format?
A: Version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status. Custom formats supported.
Q: What is a WAF rate-based rule?
A: Blocks IPs that exceed a threshold (100–20M requests) in a 5-minute window. Automatically unblocks when rate drops. Use for DDoS and brute-force protection.
Q: How does Network Firewall domain filtering work?
A: Inspects SNI (TLS) or Host header (HTTP) to allow/deny traffic to specific domains. Does not decrypt traffic — works on connection metadata.
Q: What is a NACL ephemeral port consideration?
A: Return traffic uses ephemeral ports (1024-65535). Outbound NACL rules must allow ephemeral ports for inbound connections. Often forgotten in troubleshooting.
Q: What is prefix list?
A: A set of CIDR blocks managed as a single resource. Use in security groups and route tables. AWS-managed prefix lists for S3, DynamoDB, CloudFront.
Q: What is endpoint policy vs security group for VPC endpoints?
A: Endpoint policy: IAM-like policy controlling which AWS actions/resources are accessible. Security group: controls which source IPs/SGs can reach the endpoint ENI.