Deploy AWS Network Firewall Across Multiple Availability Zones
Overview
This check verifies that your AWS Network Firewall is deployed across at least two Availability Zones (AZs). A multi-AZ deployment ensures your firewall remains available even if one AZ experiences an outage.
Risk
Deploying a Network Firewall in a single Availability Zone creates a single point of failure:
- Service disruption: If the AZ goes down, your firewall becomes unavailable
- Security bypass: During an outage, teams may route traffic around the firewall to restore connectivity, bypassing security inspection entirely
- Data exposure: Unfiltered traffic could allow data exfiltration or lateral movement attacks
- Compliance gaps: Many compliance frameworks require high availability for security controls
Remediation Steps
Prerequisites
You need:
- Access to the AWS Console with permissions to modify Network Firewall settings
- A subnet in a second Availability Zone dedicated to Network Firewall (firewall subnets should not contain other resources)
Required IAM permissions
Your IAM user or role needs the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"network-firewall:DescribeFirewall",
"network-firewall:AssociateSubnets",
"network-firewall:ListFirewalls",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
Creating a firewall subnet in a new AZ
Before adding a second AZ to your firewall, you need a dedicated subnet in that AZ:
- Open the VPC Console at https://console.aws.amazon.com/vpc/
- In the left navigation, click Subnets
- Click Create subnet
- Select the same VPC as your existing firewall
- Choose a different Availability Zone than your current firewall subnet
- Enter a CIDR block (e.g.,
10.0.100.0/28- a /28 is sufficient for firewall endpoints) - Name the subnet descriptively (e.g.,
firewall-subnet-az2) - Click Create subnet
Important: Firewall subnets should be dedicated solely to Network Firewall. Do not place other resources in these subnets.
AWS Console Method
- Open the VPC Console at https://console.aws.amazon.com/vpc/
- In the left navigation, scroll down to Network Firewall and select Firewalls
- Click on the name of your firewall
- In the Firewall details tab, find the Associated subnets section
- Click Edit
- Click Add new subnet
- Select a subnet in a different Availability Zone from your existing subnet(s)
- Click Save
After saving, AWS will create a new firewall endpoint in the added subnet. This process takes a few minutes.
Important: After adding the new subnet, you must update your VPC route tables to direct traffic through the new firewall endpoint. See the "Updating Route Tables" section below.
AWS CLI (optional)
Add a subnet to an existing firewall
aws network-firewall associate-subnets \
--firewall-name <your-firewall-name> \
--subnet-mappings SubnetId=<subnet-id-in-different-az> \
--region us-east-1
Replace:
<your-firewall-name>with your firewall name<subnet-id-in-different-az>with the subnet ID in your second AZ
Example with multiple subnets
To add subnets in two new AZs at once:
aws network-firewall associate-subnets \
--firewall-name my-firewall \
--subnet-mappings SubnetId=subnet-abc123 SubnetId=subnet-def456 \
--region us-east-1
Using the firewall ARN
aws network-firewall associate-subnets \
--firewall-arn arn:aws:network-firewall:us-east-1:123456789012:firewall/my-firewall \
--subnet-mappings SubnetId=subnet-abc123 \
--region us-east-1
List all firewalls
aws network-firewall list-firewalls --region us-east-1
Check current subnet mappings
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'Firewall.SubnetMappings'
CloudFormation (optional)
When creating or updating a Network Firewall via CloudFormation, specify multiple SubnetMappings entries:
AWSTemplateFormatVersion: '2010-09-09'
Description: Network Firewall deployed across multiple Availability Zones
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Description: The VPC ID where the firewall will be deployed
FirewallSubnetAz1:
Type: AWS::EC2::Subnet::Id
Description: Firewall subnet in Availability Zone 1
FirewallSubnetAz2:
Type: AWS::EC2::Subnet::Id
Description: Firewall subnet in Availability Zone 2
Resources:
FirewallPolicy:
Type: AWS::NetworkFirewall::FirewallPolicy
Properties:
FirewallPolicyName: multi-az-firewall-policy
FirewallPolicy:
StatelessDefaultActions:
- aws:forward_to_sfe
StatelessFragmentDefaultActions:
- aws:forward_to_sfe
NetworkFirewall:
Type: AWS::NetworkFirewall::Firewall
Properties:
FirewallName: multi-az-firewall
FirewallPolicyArn: !Ref FirewallPolicy
VpcId: !Ref VpcId
DeleteProtection: true
SubnetChangeProtection: true
SubnetMappings:
- SubnetId: !Ref FirewallSubnetAz1
- SubnetId: !Ref FirewallSubnetAz2
Tags:
- Key: Environment
Value: production
Outputs:
FirewallArn:
Description: The ARN of the Network Firewall
Value: !Ref NetworkFirewall
Key points:
- Include at least two
SubnetMappingsentries, each in a different AZ - Enable
SubnetChangeProtectionto prevent accidental removal of subnets - Enable
DeleteProtectionas a best practice
Terraform (optional)
When creating or updating a Network Firewall with Terraform, specify multiple subnet_mapping blocks:
variable "vpc_id" {
description = "The VPC ID where the firewall will be deployed"
type = string
}
variable "firewall_subnet_ids" {
description = "List of subnet IDs for firewall endpoints (one per AZ, minimum 2)"
type = list(string)
validation {
condition = length(var.firewall_subnet_ids) >= 2
error_message = "At least 2 subnet IDs are required for multi-AZ deployment."
}
}
resource "aws_networkfirewall_firewall_policy" "multi_az" {
name = "multi-az-firewall-policy"
firewall_policy {
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}
}
resource "aws_networkfirewall_firewall" "multi_az" {
name = "multi-az-firewall"
firewall_policy_arn = aws_networkfirewall_firewall_policy.multi_az.arn
vpc_id = var.vpc_id
delete_protection = true
subnet_change_protection = true
dynamic "subnet_mapping" {
for_each = var.firewall_subnet_ids
content {
subnet_id = subnet_mapping.value
}
}
tags = {
Environment = "production"
}
}
output "firewall_arn" {
description = "The ARN of the Network Firewall"
value = aws_networkfirewall_firewall.multi_az.arn
}
output "firewall_status" {
description = "The firewall status including endpoint information"
value = aws_networkfirewall_firewall.multi_az.firewall_status
}
Usage:
module "network_firewall" {
source = "./modules/network-firewall"
vpc_id = "vpc-12345678"
firewall_subnet_ids = [
"subnet-aaaaaaaa", # us-east-1a
"subnet-bbbbbbbb" # us-east-1b
]
}
The validation block ensures at least 2 subnets are provided.
Updating route tables after adding an AZ
After adding a new firewall endpoint, you must update your VPC route tables to use it. Each AZ should route traffic through its local firewall endpoint.
Find the new endpoint ID
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'FirewallStatus.SyncStates'
This returns endpoint IDs for each AZ, formatted as vpce-xxxxxxxxxxxxxxxxx.
Update route tables
For each route table that needs to send traffic through the firewall:
- Open the VPC Console > Route tables
- Select the route table for the new AZ
- Click Edit routes
- Add or modify routes to use the firewall endpoint as the target:
- For internet-bound traffic:
0.0.0.0/0->vpce-xxxxxxxxx(firewall endpoint) - For inter-AZ traffic: Route through the local firewall endpoint
- For internet-bound traffic:
Important: Maintain symmetric routing - traffic should go through the same firewall endpoint in both directions to preserve stateful inspection.
Verification
After adding the new Availability Zone, verify your firewall is deployed across multiple AZs:
In the AWS Console:
- Go to VPC Console > Network Firewall > Firewalls
- Click on your firewall
- In the Firewall details tab, check the Associated subnets section
- Confirm subnets are listed in at least two different Availability Zones
- Check the Firewall status shows "Ready" for all endpoints
CLI verification
Check subnet mappings and their AZs
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'Firewall.SubnetMappings'
Get detailed endpoint status by AZ
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'FirewallStatus.SyncStates'
This shows each AZ with its firewall endpoint ID and status. You should see at least two AZs listed.
Count the number of AZs
aws network-firewall describe-firewall \
--firewall-name <your-firewall-name> \
--region us-east-1 \
--query 'length(Firewall.SubnetMappings)'
This should return 2 or more.
Additional Resources
- AWS Network Firewall Documentation
- Network Firewall Multi-AZ Deployments
- AWS Network Firewall CLI Reference
- VPC Route Table Configuration for Network Firewall
Notes
- Symmetric routing is critical: For stateful inspection to work correctly, traffic must flow through the same firewall endpoint in both directions. Configure route tables carefully to maintain symmetric routing.
- Dedicated firewall subnets: Each firewall subnet should be dedicated solely to Network Firewall. Do not place other resources in these subnets.
- Cost consideration: Each firewall endpoint incurs hourly charges. Multi-AZ deployment increases costs but is essential for production workloads.
- Endpoint provisioning time: New firewall endpoints take several minutes to provision. Plan for this during maintenance windows.
- Subnet change protection: Consider enabling
SubnetChangeProtectionto prevent accidental removal of AZs from your firewall.