AWS re:Invent 2025 - AWS Network Firewall Proxy (NET216)

AWS Network Firewall Proxy Overview

What is AWS Network Firewall Proxy?

• AWS Network Firewall Proxy is a new explicit proxy service launched by AWS to provide advanced traffic filtering and visibility capabilities.
• It sits between client applications and their destination servers, inspecting and controlling the traffic flow.
• The proxy offers three phases of filtering: pre-DNS resolution, pre-request, and post-response.
• It supports both HTTP and HTTPS traffic, with the option to enable TLS interception for deeper inspection.

Key Features and Capabilities

Traffic Filtering

• Allows defining rules to control access based on destination domains, IP addresses, HTTP methods, URI paths, content types, and other attributes.
• Supports both allow and deny actions, with the ability to set default behaviors for each filtering phase.
• Provides granular control over traffic, enabling policies like "allow HTTP GET but deny PUT" or "allow application/json but deny image/*".

TLS Interception

• Enables the proxy to decrypt and inspect HTTPS traffic by establishing trust with client instances.
• Leverages AWS Private CA to generate forward certificates signed by an enterprise-trusted root CA.
• Provides visibility into encrypted traffic attributes for more advanced filtering.

Centralized Management and Visibility

• Proxy configurations contain prioritized rule groups, allowing reusable policies across applications.
• Offers comprehensive logging and monitoring of all traffic flowing through the proxy.
• Supports access to the proxy from multiple VPCs, accounts, and on-premises locations.

Deployment Architectures

Single VPC Deployment

• Proxy is deployed in the egress VPC, attached to an existing NAT Gateway.
• Client instances in private subnets route all traffic through the proxy endpoint, bypassing the need for internet access.
• The public subnet maintains a route to the internet gateway for direct internet access.

Multi-VPC Deployment

• Centralizes the proxy in a dedicated egress VPC, accessible to multiple client VPCs through private endpoints.
• Client VPCs do not require internet gateways or default routes, as all traffic is routed through the proxy.
• Supports cross-account access, with the proxy VPC potentially in a different AWS account.

Transit Gateway Integration

• Leverages Transit Gateway to route traffic from client VPCs to the centralized proxy.
• Eliminates the need to deploy proxy endpoints in every VPC, simplifying management.
• Requires updating routing tables in the client VPCs and the Transit Gateway to reach the proxy.

Comparison to Other Egress Solutions

• Network Firewall Proxy is an explicit proxy, while Network Firewall is a transparent proxy.
• Proxy supports only HTTP/HTTPS traffic, while Network Firewall can handle any TCP/UDP traffic.
• Proxy provides deeper inspection capabilities through TLS interception, while Network Firewall relies on encrypted traffic attributes.
• Customers can choose to use both solutions in a hybrid architecture, with the proxy handling web traffic and Network Firewall managing other protocols.

Business Impact and Use Cases

• Centralized control and governance over all outbound traffic, ensuring compliance and security policies are enforced.
• Improved visibility into application behavior and traffic patterns, enabling better monitoring and threat detection.
• Granular control over access to internet resources, preventing data leakage and protecting against malicious destinations.
• Simplified management and reduced operational overhead compared to running a custom proxy solution.

Conclusion

AWS Network Firewall Proxy offers a powerful and flexible solution for organizations to control and secure their outbound internet traffic. Its advanced filtering capabilities, TLS interception, and centralized management make it a valuable tool for improving overall network security and visibility.