For Agents
Provision VPC-level stateful firewalls — manage firewalls, rule groups (5-tuple, domain-list, Suricata), firewall policies, subnet associations, and logging.
Get started with AWS Network Firewall in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"create an AWS Network Firewall rule group"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with AWS Network Firewall API.
Provision a managed firewall into specified VPC subnets and associate firewall endpoints with route tables
Define stateless rule groups for 5-tuple matching with priority, action and custom drop actions
Define stateful rule groups using domain allow/deny lists or Suricata-compatible signatures
Compose stateless and stateful rule groups into a firewall policy and attach the policy to a firewall
GET STARTED
Use for: Provision a Network Firewall in subnets of vpc-abc123, Create a stateful rule group blocking traffic to a list of malicious domains, Add a Suricata signature to detect SQL injection attempts, List all firewall policies in the account
Not supported: Does not handle DDoS protection, edge web application firewalling, or DNS-layer filtering — use for VPC-attached stateful firewalling, rule groups, and TLS inspection only.
Jentic publishes the only available OpenAPI document for AWS Network Firewall, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for AWS Network Firewall, keeping it validated and agent-ready. AWS Network Firewall is a managed stateful firewall and intrusion prevention service for VPC traffic — it deploys firewall endpoints into VPC subnets, enforces stateless and stateful rule groups (5-tuple, domain-list, and Suricata-compatible signature rules), and ties everything together with FirewallPolicies. The 36 endpoints cover Firewall and FirewallPolicy CRUD, RuleGroup management, subnet association, logging configuration, and TLS inspection configuration.
Enable flow and alert logging to CloudWatch Logs, Kinesis Firehose, or S3 destinations
Configure TLS inspection profiles to decrypt and inspect TLS traffic terminating in the VPC
Tag firewalls, policies, and rule groups for cost allocation and IAM scoping
Patterns agents use AWS Network Firewall API for, with concrete tasks.
★ Centralised Egress Filtering for a Multi-VPC Account
Security teams running a hub-and-spoke VPC topology need to filter egress traffic from every spoke through a central inspection VPC. Network Firewall provisions firewall endpoints in inspection subnets, applies a domain-list stateful rule group that allows only approved external domains, and routes spoke traffic through the firewall via VPC route tables. The agent can codify this as repeatable rule group + firewall policy + firewall associations.
Call CreateRuleGroup with Type=STATEFUL and a RulesSourceList of allowed FQDNs, CreateFirewallPolicy referencing the rule group, then CreateFirewall in the inspection VPC subnets
Detect and Block Known Threats With Suricata Signatures
Threat-detection teams already maintain Suricata rule sets from threat intel feeds. AWS Network Firewall stateful rule groups accept Suricata-compatible signatures directly, including alert-only and drop actions. An agent can pull a threat feed, normalise it into a Suricata RulesString, and roll it out as a versioned rule group — using DescribeRuleGroup and UpdateRuleGroup to evolve the signature set without rebuilding the firewall.
Call CreateRuleGroup with Type=STATEFUL, Capacity sized for the rule count, and RulesSource.RulesString containing the Suricata signatures, then attach it to a FirewallPolicy
Forward Firewall Logs Into a SIEM
SOC teams need flow and alert data from the firewall in their SIEM (Splunk, Datadog, Sumo). Network Firewall's UpdateLoggingConfiguration writes selected log types (FLOW or ALERT) to CloudWatch Logs, Kinesis Firehose or S3, from where Firehose can deliver them to third-party analytics. An agent can enable both flow and alert logging in a single update, choose a destination per log type, and validate the configuration via DescribeLoggingConfiguration.
Call UpdateLoggingConfiguration on the firewall with LogDestinationConfigs entries for LogType=ALERT pointing at a Kinesis Firehose ARN and LogType=FLOW pointing at a CloudWatch Log Group
AI Agent Integration for Network Security Posture
Through Jentic, a security-automation agent can manage AWS Network Firewall as a structured tool — provision, configure rules, attach policies, enable logging — without scripting against boto3. Jentic resolves natural-language intents like 'block outbound traffic to a malicious domain' to the right Network Firewall operation and brokers SigV4 credentials for the agent.
Resolve the intent 'block traffic to a domain list' via Jentic search, load CreateRuleGroup, and execute it with a STATEFUL rule group containing a RulesSourceList for the target FQDNs
36 endpoints — jentic publishes the only available openapi specification for aws network firewall, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/#X-Amz-Target=NetworkFirewall_20201112.CreateFirewall
Provision a new Network Firewall
/#X-Amz-Target=NetworkFirewall_20201112.CreateFirewallPolicy
Create a firewall policy combining rule groups
/#X-Amz-Target=NetworkFirewall_20201112.CreateRuleGroup
Create a stateless or stateful rule group
/#X-Amz-Target=NetworkFirewall_20201112.AssociateFirewallPolicy
Attach a firewall policy to a firewall
/#X-Amz-Target=NetworkFirewall_20201112.AssociateSubnets
Associate firewall endpoints with VPC subnets
/#X-Amz-Target=NetworkFirewall_20201112.UpdateLoggingConfiguration
Enable or update flow and alert logging destinations
/#X-Amz-Target=NetworkFirewall_20201112.CreateFirewall
Provision a new Network Firewall
/#X-Amz-Target=NetworkFirewall_20201112.CreateFirewallPolicy
Create a firewall policy combining rule groups
/#X-Amz-Target=NetworkFirewall_20201112.CreateRuleGroup
Create a stateless or stateful rule group
/#X-Amz-Target=NetworkFirewall_20201112.AssociateFirewallPolicy
Attach a firewall policy to a firewall
/#X-Amz-Target=NetworkFirewall_20201112.AssociateSubnets
Associate firewall endpoints with VPC subnets
Three things that make agents converge on Jentic-routed access.
Credential isolation
AWS access keys live in the Jentic MAXsystem vault. Jentic SigV4-signs each Network Firewall request on the agent's behalf, so a security-automation agent never holds raw IAM credentials.
Intent-based discovery
Agents search by intent (e.g., 'block outbound traffic to a domain list') and Jentic returns the matching Network Firewall operation with its input schema, so the agent can call CreateRuleGroup, CreateFirewallPolicy or UpdateLoggingConfiguration without browsing the AWS docs.
Time to first call
Direct Network Firewall integration: 2-4 days for IAM scoping, rule group sizing, policy composition and logging plumbing. Through Jentic: under a day — search, load schemas, chain operations.
Alternatives and complements available in the Jentic catalogue.
AWS WAF
WAF protects HTTP/HTTPS application traffic at CloudFront, ALB, and API Gateway
Choose WAF when filtering Layer 7 application traffic at edges or load balancers. Use Network Firewall for VPC-internal east-west and egress traffic at the network layer.
Amazon EC2
EC2 manages the VPCs, subnets, and route tables that Network Firewall endpoints sit in
Use to provision the VPC topology — subnets, route tables and gateways — that Network Firewall enforces against.
Amazon CloudWatch Logs
CloudWatch Logs is a common destination for Network Firewall flow and alert logs
Use as the log destination when an agent wants to query firewall events with Logs Insights or trigger CloudWatch alarms on alert volume.
Amazon Route 53 Resolver
Route 53 Resolver DNS Firewall blocks queries by domain at the DNS layer
Use Route 53 Resolver DNS Firewall when blocking by FQDN at the DNS resolution stage is sufficient. Pair with Network Firewall for deeper packet inspection.
Specific to using AWS Network Firewall API through Jentic.
Why is there no official OpenAPI spec for AWS Network Firewall?
AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call AWS Network Firewall via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the AWS Network Firewall API use?
The Network Firewall control plane is signed with AWS Signature Version 4 using IAM access keys, with permissions controlled by the network-firewall:* action set. Through Jentic, those AWS credentials live in the MAXsystem vault and are used to sign requests on the agent's behalf.
Can I deploy Suricata rules with AWS Network Firewall?
Yes. CreateRuleGroup with Type=STATEFUL accepts a RulesSource.RulesString containing Suricata-compatible signatures. The rule group must declare a Capacity sized for the rule count, and rules can use the alert or drop actions. Suricata-style domain-list rules are also supported via RulesSourceList for simpler use cases.
What are the rate limits for Network Firewall?
Control-plane operations are throttled per-account per-region. Provisioning and rule-group updates take longer than typical AWS calls — DescribeFirewall returns a state of PROVISIONING, READY, or DELETING that should be polled rather than retrying the create call.
How do I attach a rule group to a firewall through Jentic?
Use the Jentic search query 'attach a rule group to an AWS firewall', load CreateFirewallPolicy or UpdateFirewallPolicy, and execute it with a FirewallPolicy.StatefulRuleGroupReferences array including your rule group ARN. Then call AssociateFirewallPolicy if the policy is not already attached.
Can Network Firewall inspect encrypted TLS traffic?
Yes, with limitations. CreateTLSInspectionConfiguration sets up an inspection profile that uses an ACM certificate to decrypt and re-encrypt TLS traffic terminating in the VPC. The certificate's private key must be in ACM in the same region, and only specific TLS protocol versions are supported.
/#X-Amz-Target=NetworkFirewall_20201112.UpdateLoggingConfiguration
Enable or update flow and alert logging destinations