Network Firewall: TLS inspection configuration and Firewall policy association?

To enable TLS inspection for your AWS Network Firewall, you need to associate your TLS inspection configuration with your firewall policy. However, there's an important limitation to be aware of: you can only add a TLS inspection configuration to a new firewall policy, not to an existing one.

This explains why the "Manage TLS inspection configuration" button is disabled in your existing firewall policy. While you cannot add a TLS inspection configuration to your current policy, you do have two options:

1. Create a new firewall policy that includes your TLS inspection configuration, then associate this new policy with your firewall.

2. Replace an existing TLS inspection configuration in your policy with another one (but this only works if you already have a TLS inspection configuration associated with the policy).

To use your TLS inspection configuration properly:

1. Create a new firewall policy
2. Add your TLS inspection configuration during the creation of this new policy
3. Associate this new policy with your firewall

Once properly configured, Network Firewall will act as a proxy service to decrypt and inspect traffic according to your firewall policy's stateful rules, and then re-encrypt it before sending it to its destination.
Sources
Managing your TLS inspection configuration in Network Firewall - AWS Network Firewall
Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall - AWS Network Firewall
TLSInspectionConfiguration - AWS Network Firewall