# AWS Network Firewall Module - Single VPC
This example builds AWS Network Firewall in a single VPC to inspect any ingress/egress traffic - distributed inspection model.
* Outside of the Network Firewall module:
* Firewall policies - in `policy.tf`
* Amazon VPC with 3 subnet types (firewall, protected, and private)
* Created by the Network Firewall mdodule:
* AWS Network Firewall resource.
* Routing to the firewall endpoints - to inspect traffic between the Internet gateway and the protected subnets)
The AWS Region used in the example is **us-east-2 (Ohio)**.
## Prerequisites
* An AWS account with an IAM user with the appropriate permissions
* Terraform installed
## Code Principles
* Writing DRY (Do No Repeat Yourself) code using a modular design pattern
## Usage
* Clone the repository
* Edit the *variables.tf* file in the project root directory
**Note** Network Firewall endpoints will be deployted in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [aws](#requirement\_aws) | >= 3.73.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.73.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 0.1.1 |
| [vpc](#module\_vpc) | ./modules/vpc | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_cloudwatch_log_group.alert_lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_group.flow_lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_kms_key.log_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
| [aws_networkfirewall_rule_group.allow_domains](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
| [aws_networkfirewall_rule_group.allow_icmp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
| [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.policy_kms_logs_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"us-east-2"` | no |
| [identifier](#input\_identifier) | Project identifier. | `string` | `"single-vpc"` | no |
| [vpc](#input\_vpc) | Information about the VPC to create. | `any` | {
"cidr_block": "10.129.0.0/16",
"firewall_subnet_cidrs": [
"10.129.0.0/24",
"10.129.1.0/24",
"10.129.2.0/24"
],
"number_azs": 2,
"private_subnet_cidrs": [
"10.129.6.0/24",
"10.129.7.0/24",
"10.129.8.0/24"
],
"protected_subnet_cidrs": [
"10.129.3.0/24",
"10.129.4.0/24",
"10.129.5.0/24"
]
} | no |
## Outputs
| Name | Description |
|------|-------------|
| [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
| [vpc](#output\_vpc) | VPC ID. |