AWS Step-by-Step

Getting Started With VPC Firewalls, Part 2: Creating a Network Policy

• By Brien Posey
• 04/30/2025

In my first article in this series, I explained that the first step in creating a VPC network firewall is to create a rule group. Now let's continue the walkthrough by creating a network firewall policy.

To create a firewall policy, open the VPC dashboard and click on the Firewall Policies tab, found in the Network Firewall section, and then click the Create Firewall Policy button.

The first screen that you will see as a part of the policy creation process asks you to enter a name and an optional description for your firewall policy. You can also choose how the firewall should behave if the network connection happens to break midstream. As you can see in Figure 1, you can drop the subsequent traffic, continue processing traffic, or send a TCP reset packet.

Click Next, and you will be taken to the Add Rule Groups screen. The first thing that you will usually want to do on this screen is to define a set of default actions for packets that match a rule's criteria. You can pass, drop, or forward a packet. You can also opt to use the same action for all packets or you can treat fragmented and full packets differently from one another. Next, click the Add Stateless Rule Groups button and then add the rule group that you created earlier. You can see what this looks like in Figure 2. Further down on the page, there are options for processing stateful rules should you decide to do so.

Click Next and you will once again be asked if you want to perform encryption using an AWS managed key or if you would prefer to use your own key. Again, it's best to use an AWS managed key unless you have a good reason for using your own key.

This screen also contains options for performing a CIDR override or changing the idle timeout should you have the need, though most organizations probably won't need to use these settings.

Click Next and you will be taken to a screen that lets you configure an optional TLS inspection. When you are done, click Next. You can now apply any optional tags that you might want to apply to the firewall policy. When you are done, click Next followed by Create Firewall Policy to complete the process.

The last step in the overall configuration process is to create the firewall itself. To do so, click on the Firewalls tab, found in the Network Firewall section, and then click the Create Firewall button.

The first step in creating a new firewall is to enter a name and an optional description for the firewall. Even though the description is optional, I recommend creating a description since there is a good chance that you will be creating additional firewalls as time goes on.

Click Next and you will be taken to the Configure VPC and Subnets screen. Here, you will need to tell AWS which VPC the firewall should be a part of. Next, you will need to choose an availability zone within the VPC and then select a subnet that is associated with your chosen availability zone, You will also need to specify the IP Address type, as shown in Figure 3.

As you look at the figure above, you will notice that there is an option to add a new subnet. You can link multiple subnets, and even multiple availability zones to a single firewall. When you are done, click Next.

Click Next, and you will be taken to the screen shown in Figure 4. This screen contains two checkboxes that are selected by default. If left selected, one checkbox will protect the firewall against accidental deletion and the other checkbox will prevent the firewall's subnet from being changed. The screen also contains two more checkboxes that are not selected by default. One enables traffic analysis mode and the other allows you to use your own encryption key in place of the Amazon managed key.

Click Next, and you will be taken to the Associate Firewall Policy screen. Here, you will need to select the Associate an Existing Firewall Policy option, select the firewall policy that you created earlier, and click Next.

Now, you will have the opportunity to apply any desired tags to the firewall that you are creating. When you are done, click Next, followed by Create Firewall to complete the process.