By using AWS re:Post, you agree to the Terms of Use

AWS CloudFormation deployment of AWS Network Firewall


I am deploying a Network Firewall setup (VPC, protected subnet, NAT subnet, firewall subnet, NAT GW, Network Firewall, IGW, route tables and routes) with CloudFormation.

How can I setup a needed route in the route table?

The route points to Network Firewall VPC endpoint in a specific subnet and I have to setup the route usingthe CloudFormation Type: AWS::EC2::Route:

    Type: AWS::EC2::Route
    DependsOn: NetworkFirewall
      RouteTableId: !Ref IGWIngressRouteTable
      DestinationCidrBlock: !Ref NATGatewaySubnetCIDR
      VpcEndpointId: <<<<<< here comes a specific Network Firewall endpoint 

The property VpcEndpointId should be set to a specific Network Firewall endpoint for a particular subnet. The Network Firewall resource contains the EndpointIds attribute with the list of all endpoints. I can get that list with !GetAtt NetworkFirewall.EndpointIds

The problem: how should I proceed correctly to setup the route pointing to a Network Firewall endpoint? So far I have not found any sample CloudFormation snippet doing that.

I understand, that the route setup can be done via CFN custom resource or post-deployment etc. But is it doable with CloudFormation template only?

1 Answer
Accepted Answer

You will have to use a Custom Resource (or possibly a Macro). Passing in the EndpointIds and either sorting them or returning a structure that can be selected from.

There's an open issue on the public resource provider which is worth tracking or contributing to.

answered 2 years ago
profile picture
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions