Is there an API call I can make to multiple VPCs that will return the network firewalls associated with it?


I'm in progress of creating a custom config rule.

I need to confirm upon creation of VPCs (doesn't have to be immediate) that there's a Network Firewall attached to the VPC.

However, the issue is when I review the AWS documentation for boto3/cli calls to the API here

The describe-vpcs method doesn't return the Network Firewalls. I see that the describe-firewalls action does; however, I'm wondering if there's a way to call an API to determine if there's a network firewall associated with a vpc fro ma vpc standpoint. Example, listing all vpcs in account and metadata within them that INCLUDES the network firewall.

If there's no way then at least I know there's no better solution. But I want to confirm this before moving on to network-firewall api call;as

2 Answers

One option is to use the describe-vpc-endpoints call with these filters:

vpc-endpoint-type = GatewayLoadBalancer
vpc-id = <The ID of the VPC you want to check>
tag = Name=AWSNetworkFirewallManaged,Values=true

If you get a result, it means there's an AWS Network Firewall in the VPC. It however doesn't imply that it's being used. You'll need to check the subnet route tables for that.

answered 2 months ago


We dont have direct options to check the VPC associated with AWS Network Firewall. We will be able to see it from VPC route table whether they have routes to Network Firewall endpoint to inspect the traffic. However, If you have multiple VPCs that are connected via Transit Gateway and you have one AWS Network Firewall as centralized Egress inspection, you will not see all VPC route tables pointing to AWS Network Firewall Endpoints.

Other Options:- Assumptions:- All VPCs are connected via AWS Transit Gateway and Centralized Egress inspection.

  1. you can check all VPC's route table has default route ( TGW )
  2. on the Transit gateway route table, ensure default route points to Inspection VPC TGW attachment (Inspection VPC --where you host AWS Network Firewall)
  3. In the Inspection VPC's route table, where you have TGW ENI, check for default route points to AWS Network Firewall Endpoint.

Please refer this blog

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions