aws-sdk-networkfirewall 1.65.0 → 1.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,6 +10,33 @@
10
10
  module Aws::NetworkFirewall
11
11
  module Types
12
12
 
13
+ # The status of the firewall endpoint defined by a
14
+ # `VpcEndpointAssociation`.
15
+ #
16
+ # @!attribute [rw] attachment
17
+ # The definition and status of the firewall endpoint for a single
18
+ # subnet. In each configured subnet, Network Firewall instantiates a
19
+ # firewall endpoint to handle network traffic.
20
+ #
21
+ # This data type is used for any firewall endpoint type:
22
+ #
23
+ # * For `Firewall.SubnetMappings`, this `Attachment` is part of the
24
+ # `FirewallStatus` sync states information. You define firewall
25
+ # subnets using `CreateFirewall` and `AssociateSubnets`.
26
+ #
27
+ # * For `VpcEndpointAssociation`, this `Attachment` is part of the
28
+ # `VpcEndpointAssociationStatus` sync states information. You define
29
+ # these subnets using `CreateVpcEndpointAssociation`.
30
+ # @return [Types::Attachment]
31
+ #
32
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AZSyncState AWS API Documentation
33
+ #
34
+ class AZSyncState < Struct.new(
35
+ :attachment)
36
+ SENSITIVE = []
37
+ include Aws::Structure
38
+ end
39
+
13
40
  # A custom action to use in stateless rule actions settings. This is
14
41
  # used in CustomAction.
15
42
  #
@@ -410,9 +437,19 @@ module Aws::NetworkFirewall
410
437
  include Aws::Structure
411
438
  end
412
439
 
413
- # The configuration and status for a single subnet that you've
414
- # specified for use by the Network Firewall firewall. This is part of
415
- # the FirewallStatus.
440
+ # The definition and status of the firewall endpoint for a single
441
+ # subnet. In each configured subnet, Network Firewall instantiates a
442
+ # firewall endpoint to handle network traffic.
443
+ #
444
+ # This data type is used for any firewall endpoint type:
445
+ #
446
+ # * For `Firewall.SubnetMappings`, this `Attachment` is part of the
447
+ # `FirewallStatus` sync states information. You define firewall
448
+ # subnets using `CreateFirewall` and `AssociateSubnets`.
449
+ #
450
+ # * For `VpcEndpointAssociation`, this `Attachment` is part of the
451
+ # `VpcEndpointAssociationStatus` sync states information. You define
452
+ # these subnets using `CreateVpcEndpointAssociation`.
416
453
  #
417
454
  # @!attribute [rw] subnet_id
418
455
  # The unique identifier of the subnet that you've specified to be
@@ -427,12 +464,11 @@ module Aws::NetworkFirewall
427
464
  # @return [String]
428
465
  #
429
466
  # @!attribute [rw] status
430
- # The current status of the firewall endpoint in the subnet. This
431
- # value reflects both the instantiation of the endpoint in the VPC
432
- # subnet and the sync states that are reported in the `Config`
433
- # settings. When this value is `READY`, the endpoint is available and
434
- # configured properly to handle network traffic. When the endpoint
435
- # isn't available for traffic, this value will reflect its state, for
467
+ # The current status of the firewall endpoint instantiation in the
468
+ # subnet.
469
+ #
470
+ # When this value is `READY`, the endpoint is available to handle
471
+ # network traffic. Otherwise, this value reflects its state, for
436
472
  # example `CREATING` or `DELETING`.
437
473
  # @return [String]
438
474
  #
@@ -463,6 +499,22 @@ module Aws::NetworkFirewall
463
499
  include Aws::Structure
464
500
  end
465
501
 
502
+ # High-level information about an Availability Zone where the firewall
503
+ # has an endpoint defined.
504
+ #
505
+ # @!attribute [rw] ip_address_type
506
+ # The IP address type of the Firewall subnet in the Availability Zone.
507
+ # You can't change the IP address type after you create the subnet.
508
+ # @return [String]
509
+ #
510
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AvailabilityZoneMetadata AWS API Documentation
511
+ #
512
+ class AvailabilityZoneMetadata < Struct.new(
513
+ :ip_address_type)
514
+ SENSITIVE = []
515
+ include Aws::Structure
516
+ end
517
+
466
518
  # Summarizes the CIDR blocks used by the IP set references in a
467
519
  # firewall. Network Firewall calculates the number of CIDRs by taking an
468
520
  # aggregated count of all CIDRs used by the IP sets you are referencing.
@@ -729,6 +781,12 @@ module Aws::NetworkFirewall
729
781
  # Detailed information about the current status of a Firewall. You can
730
782
  # retrieve this for a firewall by calling DescribeFirewall and
731
783
  # providing the firewall name and ARN.
784
+ #
785
+ # The firewall status indicates a combined status. It indicates
786
+ # whether all subnets are up-to-date with the latest firewall
787
+ # configurations, which is based on the sync states config values, and
788
+ # also whether all subnets have their endpoints fully enabled, based
789
+ # on their sync states attachment values.
732
790
  # @return [Types::FirewallStatus]
733
791
  #
734
792
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateFirewallResponse AWS API Documentation
@@ -1016,6 +1074,65 @@ module Aws::NetworkFirewall
1016
1074
  include Aws::Structure
1017
1075
  end
1018
1076
 
1077
+ # @!attribute [rw] firewall_arn
1078
+ # The Amazon Resource Name (ARN) of the firewall.
1079
+ # @return [String]
1080
+ #
1081
+ # @!attribute [rw] vpc_id
1082
+ # The unique identifier of the VPC where you want to create a firewall
1083
+ # endpoint.
1084
+ # @return [String]
1085
+ #
1086
+ # @!attribute [rw] subnet_mapping
1087
+ # The ID for a subnet that's used in an association with a firewall.
1088
+ # This is used in CreateFirewall, AssociateSubnets, and
1089
+ # CreateVpcEndpointAssociation. Network Firewall creates an instance
1090
+ # of the associated firewall in each subnet that you specify, to
1091
+ # filter traffic in the subnet's Availability Zone.
1092
+ # @return [Types::SubnetMapping]
1093
+ #
1094
+ # @!attribute [rw] description
1095
+ # A description of the VPC endpoint association.
1096
+ # @return [String]
1097
+ #
1098
+ # @!attribute [rw] tags
1099
+ # The key:value pairs to associate with the resource.
1100
+ # @return [Array<Types::Tag>]
1101
+ #
1102
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateVpcEndpointAssociationRequest AWS API Documentation
1103
+ #
1104
+ class CreateVpcEndpointAssociationRequest < Struct.new(
1105
+ :firewall_arn,
1106
+ :vpc_id,
1107
+ :subnet_mapping,
1108
+ :description,
1109
+ :tags)
1110
+ SENSITIVE = []
1111
+ include Aws::Structure
1112
+ end
1113
+
1114
+ # @!attribute [rw] vpc_endpoint_association
1115
+ # The configuration settings for the VPC endpoint association. These
1116
+ # settings include the firewall and the VPC and subnet to use for the
1117
+ # firewall endpoint.
1118
+ # @return [Types::VpcEndpointAssociation]
1119
+ #
1120
+ # @!attribute [rw] vpc_endpoint_association_status
1121
+ # Detailed information about the current status of a
1122
+ # VpcEndpointAssociation. You can retrieve this by calling
1123
+ # DescribeVpcEndpointAssociation and providing the VPC endpoint
1124
+ # association ARN.
1125
+ # @return [Types::VpcEndpointAssociationStatus]
1126
+ #
1127
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateVpcEndpointAssociationResponse AWS API Documentation
1128
+ #
1129
+ class CreateVpcEndpointAssociationResponse < Struct.new(
1130
+ :vpc_endpoint_association,
1131
+ :vpc_endpoint_association_status)
1132
+ SENSITIVE = []
1133
+ include Aws::Structure
1134
+ end
1135
+
1019
1136
  # An optional, non-standard action to use for stateless packet handling.
1020
1137
  # You can define this in addition to the standard action that you must
1021
1138
  # specify.
@@ -1113,21 +1230,33 @@ module Aws::NetworkFirewall
1113
1230
  end
1114
1231
 
1115
1232
  # @!attribute [rw] firewall
1116
- # The firewall defines the configuration settings for an Network
1117
- # Firewall firewall. These settings include the firewall policy, the
1118
- # subnets in your VPC to use for the firewall endpoints, and any tags
1119
- # that are attached to the firewall Amazon Web Services resource.
1233
+ # A firewall defines the behavior of a firewall, the main VPC where
1234
+ # the firewall is used, the Availability Zones where the firewall can
1235
+ # be used, and one subnet to use for a firewall endpoint within each
1236
+ # of the Availability Zones. The Availability Zones are defined
1237
+ # implicitly in the subnet specifications.
1238
+ #
1239
+ # In addition to the firewall endpoints that you define in this
1240
+ # `Firewall` specification, you can create firewall endpoints in
1241
+ # `VpcEndpointAssociation` resources for any VPC, in any Availability
1242
+ # Zone where the firewall is already in use.
1120
1243
  #
1121
1244
  # The status of the firewall, for example whether it's ready to
1122
1245
  # filter network traffic, is provided in the corresponding
1123
- # FirewallStatus. You can retrieve both objects by calling
1124
- # DescribeFirewall.
1246
+ # FirewallStatus. You can retrieve both the firewall and firewall
1247
+ # status by calling DescribeFirewall.
1125
1248
  # @return [Types::Firewall]
1126
1249
  #
1127
1250
  # @!attribute [rw] firewall_status
1128
1251
  # Detailed information about the current status of a Firewall. You can
1129
1252
  # retrieve this for a firewall by calling DescribeFirewall and
1130
1253
  # providing the firewall name and ARN.
1254
+ #
1255
+ # The firewall status indicates a combined status. It indicates
1256
+ # whether all subnets are up-to-date with the latest firewall
1257
+ # configurations, which is based on the sync states config values, and
1258
+ # also whether all subnets have their endpoints fully enabled, based
1259
+ # on their sync states attachment values.
1131
1260
  # @return [Types::FirewallStatus]
1132
1261
  #
1133
1262
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteFirewallResponse AWS API Documentation
@@ -1242,6 +1371,91 @@ module Aws::NetworkFirewall
1242
1371
  include Aws::Structure
1243
1372
  end
1244
1373
 
1374
+ # @!attribute [rw] vpc_endpoint_association_arn
1375
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
1376
+ # @return [String]
1377
+ #
1378
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteVpcEndpointAssociationRequest AWS API Documentation
1379
+ #
1380
+ class DeleteVpcEndpointAssociationRequest < Struct.new(
1381
+ :vpc_endpoint_association_arn)
1382
+ SENSITIVE = []
1383
+ include Aws::Structure
1384
+ end
1385
+
1386
+ # @!attribute [rw] vpc_endpoint_association
1387
+ # The configuration settings for the VPC endpoint association. These
1388
+ # settings include the firewall and the VPC and subnet to use for the
1389
+ # firewall endpoint.
1390
+ # @return [Types::VpcEndpointAssociation]
1391
+ #
1392
+ # @!attribute [rw] vpc_endpoint_association_status
1393
+ # Detailed information about the current status of a
1394
+ # VpcEndpointAssociation. You can retrieve this by calling
1395
+ # DescribeVpcEndpointAssociation and providing the VPC endpoint
1396
+ # association ARN.
1397
+ # @return [Types::VpcEndpointAssociationStatus]
1398
+ #
1399
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteVpcEndpointAssociationResponse AWS API Documentation
1400
+ #
1401
+ class DeleteVpcEndpointAssociationResponse < Struct.new(
1402
+ :vpc_endpoint_association,
1403
+ :vpc_endpoint_association_status)
1404
+ SENSITIVE = []
1405
+ include Aws::Structure
1406
+ end
1407
+
1408
+ # @!attribute [rw] firewall_arn
1409
+ # The Amazon Resource Name (ARN) of the firewall.
1410
+ # @return [String]
1411
+ #
1412
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallMetadataRequest AWS API Documentation
1413
+ #
1414
+ class DescribeFirewallMetadataRequest < Struct.new(
1415
+ :firewall_arn)
1416
+ SENSITIVE = []
1417
+ include Aws::Structure
1418
+ end
1419
+
1420
+ # @!attribute [rw] firewall_arn
1421
+ # The Amazon Resource Name (ARN) of the firewall.
1422
+ # @return [String]
1423
+ #
1424
+ # @!attribute [rw] firewall_policy_arn
1425
+ # The Amazon Resource Name (ARN) of the firewall policy.
1426
+ # @return [String]
1427
+ #
1428
+ # @!attribute [rw] description
1429
+ # A description of the firewall.
1430
+ # @return [String]
1431
+ #
1432
+ # @!attribute [rw] status
1433
+ # The readiness of the configured firewall to handle network traffic
1434
+ # across all of the Availability Zones where you have it configured.
1435
+ # This setting is `READY` only when the
1436
+ # `ConfigurationSyncStateSummary` value is `IN_SYNC` and the
1437
+ # `Attachment` `Status` values for all of the configured subnets are
1438
+ # `READY`.
1439
+ # @return [String]
1440
+ #
1441
+ # @!attribute [rw] supported_availability_zones
1442
+ # The Availability Zones that the firewall currently supports. This
1443
+ # includes all Availability Zones for which the firewall has a subnet
1444
+ # defined.
1445
+ # @return [Hash<String,Types::AvailabilityZoneMetadata>]
1446
+ #
1447
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallMetadataResponse AWS API Documentation
1448
+ #
1449
+ class DescribeFirewallMetadataResponse < Struct.new(
1450
+ :firewall_arn,
1451
+ :firewall_policy_arn,
1452
+ :description,
1453
+ :status,
1454
+ :supported_availability_zones)
1455
+ SENSITIVE = []
1456
+ include Aws::Structure
1457
+ end
1458
+
1245
1459
  # @!attribute [rw] firewall_policy_name
1246
1460
  # The descriptive name of the firewall policy. You can't change the
1247
1461
  # name of a firewall policy after you create it.
@@ -1350,6 +1564,12 @@ module Aws::NetworkFirewall
1350
1564
  # Detailed information about the current status of a Firewall. You can
1351
1565
  # retrieve this for a firewall by calling DescribeFirewall and
1352
1566
  # providing the firewall name and ARN.
1567
+ #
1568
+ # The firewall status indicates a combined status. It indicates
1569
+ # whether all subnets are up-to-date with the latest firewall
1570
+ # configurations, which is based on the sync states config values, and
1571
+ # also whether all subnets have their endpoints fully enabled, based
1572
+ # on their sync states attachment values.
1353
1573
  # @return [Types::FirewallStatus]
1354
1574
  #
1355
1575
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallResponse AWS API Documentation
@@ -1374,6 +1594,15 @@ module Aws::NetworkFirewall
1374
1594
  # configure a single flow operation.
1375
1595
  # @return [String]
1376
1596
  #
1597
+ # @!attribute [rw] vpc_endpoint_association_arn
1598
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
1599
+ # @return [String]
1600
+ #
1601
+ # @!attribute [rw] vpc_endpoint_id
1602
+ # A unique identifier for the primary endpoint associated with a
1603
+ # firewall.
1604
+ # @return [String]
1605
+ #
1377
1606
  # @!attribute [rw] flow_operation_id
1378
1607
  # A unique identifier for the flow operation. This ID is returned in
1379
1608
  # the responses to start and list commands. You provide to describe
@@ -1385,6 +1614,8 @@ module Aws::NetworkFirewall
1385
1614
  class DescribeFlowOperationRequest < Struct.new(
1386
1615
  :firewall_arn,
1387
1616
  :availability_zone,
1617
+ :vpc_endpoint_association_arn,
1618
+ :vpc_endpoint_id,
1388
1619
  :flow_operation_id)
1389
1620
  SENSITIVE = []
1390
1621
  include Aws::Structure
@@ -1402,6 +1633,15 @@ module Aws::NetworkFirewall
1402
1633
  # configure a single flow operation.
1403
1634
  # @return [String]
1404
1635
  #
1636
+ # @!attribute [rw] vpc_endpoint_association_arn
1637
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
1638
+ # @return [String]
1639
+ #
1640
+ # @!attribute [rw] vpc_endpoint_id
1641
+ # A unique identifier for the primary endpoint associated with a
1642
+ # firewall.
1643
+ # @return [String]
1644
+ #
1405
1645
  # @!attribute [rw] flow_operation_id
1406
1646
  # A unique identifier for the flow operation. This ID is returned in
1407
1647
  # the responses to start and list commands. You provide to describe
@@ -1443,6 +1683,8 @@ module Aws::NetworkFirewall
1443
1683
  class DescribeFlowOperationResponse < Struct.new(
1444
1684
  :firewall_arn,
1445
1685
  :availability_zone,
1686
+ :vpc_endpoint_association_arn,
1687
+ :vpc_endpoint_id,
1446
1688
  :flow_operation_id,
1447
1689
  :flow_operation_type,
1448
1690
  :flow_operation_status,
@@ -1784,6 +2026,40 @@ module Aws::NetworkFirewall
1784
2026
  include Aws::Structure
1785
2027
  end
1786
2028
 
2029
+ # @!attribute [rw] vpc_endpoint_association_arn
2030
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
2031
+ # @return [String]
2032
+ #
2033
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeVpcEndpointAssociationRequest AWS API Documentation
2034
+ #
2035
+ class DescribeVpcEndpointAssociationRequest < Struct.new(
2036
+ :vpc_endpoint_association_arn)
2037
+ SENSITIVE = []
2038
+ include Aws::Structure
2039
+ end
2040
+
2041
+ # @!attribute [rw] vpc_endpoint_association
2042
+ # The configuration settings for the VPC endpoint association. These
2043
+ # settings include the firewall and the VPC and subnet to use for the
2044
+ # firewall endpoint.
2045
+ # @return [Types::VpcEndpointAssociation]
2046
+ #
2047
+ # @!attribute [rw] vpc_endpoint_association_status
2048
+ # Detailed information about the current status of a
2049
+ # VpcEndpointAssociation. You can retrieve this by calling
2050
+ # DescribeVpcEndpointAssociation and providing the VPC endpoint
2051
+ # association ARN.
2052
+ # @return [Types::VpcEndpointAssociationStatus]
2053
+ #
2054
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeVpcEndpointAssociationResponse AWS API Documentation
2055
+ #
2056
+ class DescribeVpcEndpointAssociationResponse < Struct.new(
2057
+ :vpc_endpoint_association,
2058
+ :vpc_endpoint_association_status)
2059
+ SENSITIVE = []
2060
+ include Aws::Structure
2061
+ end
2062
+
1787
2063
  # The value to use in an Amazon CloudWatch custom metric dimension. This
1788
2064
  # is used in the `PublishMetrics` CustomAction. A CloudWatch custom
1789
2065
  # metric dimension is a name/value pair that's part of the identity of
@@ -1947,14 +2223,21 @@ module Aws::NetworkFirewall
1947
2223
  include Aws::Structure
1948
2224
  end
1949
2225
 
1950
- # The firewall defines the configuration settings for an Network
1951
- # Firewall firewall. These settings include the firewall policy, the
1952
- # subnets in your VPC to use for the firewall endpoints, and any tags
1953
- # that are attached to the firewall Amazon Web Services resource.
2226
+ # A firewall defines the behavior of a firewall, the main VPC where the
2227
+ # firewall is used, the Availability Zones where the firewall can be
2228
+ # used, and one subnet to use for a firewall endpoint within each of the
2229
+ # Availability Zones. The Availability Zones are defined implicitly in
2230
+ # the subnet specifications.
2231
+ #
2232
+ # In addition to the firewall endpoints that you define in this
2233
+ # `Firewall` specification, you can create firewall endpoints in
2234
+ # `VpcEndpointAssociation` resources for any VPC, in any Availability
2235
+ # Zone where the firewall is already in use.
1954
2236
  #
1955
2237
  # The status of the firewall, for example whether it's ready to filter
1956
2238
  # network traffic, is provided in the corresponding FirewallStatus. You
1957
- # can retrieve both objects by calling DescribeFirewall.
2239
+ # can retrieve both the firewall and firewall status by calling
2240
+ # DescribeFirewall.
1958
2241
  #
1959
2242
  # @!attribute [rw] firewall_name
1960
2243
  # The descriptive name of the firewall. You can't change the name of
@@ -1978,8 +2261,23 @@ module Aws::NetworkFirewall
1978
2261
  # @return [String]
1979
2262
  #
1980
2263
  # @!attribute [rw] subnet_mappings
1981
- # The public subnets that Network Firewall is using for the firewall.
1982
- # Each subnet must belong to a different Availability Zone.
2264
+ # The primary public subnets that Network Firewall is using for the
2265
+ # firewall. Network Firewall creates a firewall endpoint in each
2266
+ # subnet. Create a subnet mapping for each Availability Zone where you
2267
+ # want to use the firewall.
2268
+ #
2269
+ # These subnets are all defined for a single, primary VPC, and each
2270
+ # must belong to a different Availability Zone. Each of these subnets
2271
+ # establishes the availability of the firewall in its Availability
2272
+ # Zone.
2273
+ #
2274
+ # In addition to these subnets, you can define other endpoints for the
2275
+ # firewall in `VpcEndpointAssociation` resources. You can define these
2276
+ # additional endpoints for any VPC, and for any of the Availability
2277
+ # Zones where the firewall resource already has a subnet mapping. VPC
2278
+ # endpoint associations give you the ability to protect multiple VPCs
2279
+ # using a single firewall, and to define multiple firewall endpoints
2280
+ # for a VPC in a single Availability Zone.
1983
2281
  # @return [Array<Types::SubnetMapping>]
1984
2282
  #
1985
2283
  # @!attribute [rw] delete_protection
@@ -2022,6 +2320,11 @@ module Aws::NetworkFirewall
2022
2320
  # configuration settings for your firewall.
2023
2321
  # @return [Types::EncryptionConfiguration]
2024
2322
  #
2323
+ # @!attribute [rw] number_of_associations
2324
+ # The number of `VpcEndpointAssociation` resources that use this
2325
+ # firewall.
2326
+ # @return [Integer]
2327
+ #
2025
2328
  # @!attribute [rw] enabled_analysis_types
2026
2329
  # An optional setting indicating the specific traffic analysis types
2027
2330
  # to enable on the firewall.
@@ -2042,6 +2345,7 @@ module Aws::NetworkFirewall
2042
2345
  :firewall_id,
2043
2346
  :tags,
2044
2347
  :encryption_configuration,
2348
+ :number_of_associations,
2045
2349
  :enabled_analysis_types)
2046
2350
  SENSITIVE = []
2047
2351
  include Aws::Structure
@@ -2289,9 +2593,15 @@ module Aws::NetworkFirewall
2289
2593
  # retrieve this for a firewall by calling DescribeFirewall and providing
2290
2594
  # the firewall name and ARN.
2291
2595
  #
2596
+ # The firewall status indicates a combined status. It indicates whether
2597
+ # all subnets are up-to-date with the latest firewall configurations,
2598
+ # which is based on the sync states config values, and also whether all
2599
+ # subnets have their endpoints fully enabled, based on their sync states
2600
+ # attachment values.
2601
+ #
2292
2602
  # @!attribute [rw] status
2293
2603
  # The readiness of the configured firewall to handle network traffic
2294
- # across all of the Availability Zones where you've configured it.
2604
+ # across all of the Availability Zones where you have it configured.
2295
2605
  # This setting is `READY` only when the
2296
2606
  # `ConfigurationSyncStateSummary` value is `IN_SYNC` and the
2297
2607
  # `Attachment` `Status` values for all of the configured subnets are
@@ -2300,34 +2610,35 @@ module Aws::NetworkFirewall
2300
2610
  #
2301
2611
  # @!attribute [rw] configuration_sync_state_summary
2302
2612
  # The configuration sync state for the firewall. This summarizes the
2303
- # sync states reported in the `Config` settings for all of the
2304
- # Availability Zones where you have configured the firewall.
2613
+ # `Config` settings in the `SyncStates` for this firewall status
2614
+ # object.
2305
2615
  #
2306
2616
  # When you create a firewall or update its configuration, for example
2307
2617
  # by adding a rule group to its firewall policy, Network Firewall
2308
- # distributes the configuration changes to all zones where the
2309
- # firewall is in use. This summary indicates whether the configuration
2310
- # changes have been applied everywhere.
2618
+ # distributes the configuration changes to all Availability Zones that
2619
+ # have subnets defined for the firewall. This summary indicates
2620
+ # whether the configuration changes have been applied everywhere.
2311
2621
  #
2312
2622
  # This status must be `IN_SYNC` for the firewall to be ready for use,
2313
2623
  # but it doesn't indicate that the firewall is ready. The `Status`
2314
- # setting indicates firewall readiness.
2624
+ # setting indicates firewall readiness. It's based on this setting
2625
+ # and the readiness of the firewall endpoints to take traffic.
2315
2626
  # @return [String]
2316
2627
  #
2317
2628
  # @!attribute [rw] sync_states
2318
- # The subnets that you've configured for use by the Network Firewall
2319
- # firewall. This contains one array element per Availability Zone
2320
- # where you've configured a subnet. These objects provide details of
2321
- # the information that is summarized in the
2322
- # `ConfigurationSyncStateSummary` and `Status`, broken down by zone
2323
- # and configuration object.
2629
+ # Status for the subnets that you've configured in the firewall. This
2630
+ # contains one array element per Availability Zone where you've
2631
+ # configured a subnet in the firewall.
2632
+ #
2633
+ # These objects provide detailed information for the settings
2634
+ # `ConfigurationSyncStateSummary` and `Status`.
2324
2635
  # @return [Hash<String,Types::SyncState>]
2325
2636
  #
2326
2637
  # @!attribute [rw] capacity_usage_summary
2327
2638
  # Describes the capacity usage of the resources contained in a
2328
- # firewall's reference sets. Network Firewall calclulates the
2329
- # capacity usage by taking an aggregated count of all of the resources
2330
- # used by all of the reference sets in a firewall.
2639
+ # firewall's reference sets. Network Firewall calculates the capacity
2640
+ # usage by taking an aggregated count of all of the resources used by
2641
+ # all of the reference sets in a firewall.
2331
2642
  # @return [Types::CapacityUsageSummary]
2332
2643
  #
2333
2644
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallStatus AWS API Documentation
@@ -3126,6 +3437,15 @@ module Aws::NetworkFirewall
3126
3437
  # configure a single flow operation.
3127
3438
  # @return [String]
3128
3439
  #
3440
+ # @!attribute [rw] vpc_endpoint_id
3441
+ # A unique identifier for the primary endpoint associated with a
3442
+ # firewall.
3443
+ # @return [String]
3444
+ #
3445
+ # @!attribute [rw] vpc_endpoint_association_arn
3446
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
3447
+ # @return [String]
3448
+ #
3129
3449
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListFlowOperationResultsRequest AWS API Documentation
3130
3450
  #
3131
3451
  class ListFlowOperationResultsRequest < Struct.new(
@@ -3133,7 +3453,9 @@ module Aws::NetworkFirewall
3133
3453
  :flow_operation_id,
3134
3454
  :next_token,
3135
3455
  :max_results,
3136
- :availability_zone)
3456
+ :availability_zone,
3457
+ :vpc_endpoint_id,
3458
+ :vpc_endpoint_association_arn)
3137
3459
  SENSITIVE = []
3138
3460
  include Aws::Structure
3139
3461
  end
@@ -3150,6 +3472,12 @@ module Aws::NetworkFirewall
3150
3472
  # configure a single flow operation.
3151
3473
  # @return [String]
3152
3474
  #
3475
+ # @!attribute [rw] vpc_endpoint_association_arn
3476
+ # @return [String]
3477
+ #
3478
+ # @!attribute [rw] vpc_endpoint_id
3479
+ # @return [String]
3480
+ #
3153
3481
  # @!attribute [rw] flow_operation_id
3154
3482
  # A unique identifier for the flow operation. This ID is returned in
3155
3483
  # the responses to start and list commands. You provide to describe
@@ -3195,6 +3523,8 @@ module Aws::NetworkFirewall
3195
3523
  class ListFlowOperationResultsResponse < Struct.new(
3196
3524
  :firewall_arn,
3197
3525
  :availability_zone,
3526
+ :vpc_endpoint_association_arn,
3527
+ :vpc_endpoint_id,
3198
3528
  :flow_operation_id,
3199
3529
  :flow_operation_status,
3200
3530
  :status_message,
@@ -3217,6 +3547,15 @@ module Aws::NetworkFirewall
3217
3547
  # configure a single flow operation.
3218
3548
  # @return [String]
3219
3549
  #
3550
+ # @!attribute [rw] vpc_endpoint_association_arn
3551
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
3552
+ # @return [String]
3553
+ #
3554
+ # @!attribute [rw] vpc_endpoint_id
3555
+ # A unique identifier for the primary endpoint associated with a
3556
+ # firewall.
3557
+ # @return [String]
3558
+ #
3220
3559
  # @!attribute [rw] flow_operation_type
3221
3560
  # An optional string that defines whether any or all operation types
3222
3561
  # are returned.
@@ -3242,6 +3581,8 @@ module Aws::NetworkFirewall
3242
3581
  class ListFlowOperationsRequest < Struct.new(
3243
3582
  :firewall_arn,
3244
3583
  :availability_zone,
3584
+ :vpc_endpoint_association_arn,
3585
+ :vpc_endpoint_id,
3245
3586
  :flow_operation_type,
3246
3587
  :next_token,
3247
3588
  :max_results)
@@ -3440,6 +3781,64 @@ module Aws::NetworkFirewall
3440
3781
  include Aws::Structure
3441
3782
  end
3442
3783
 
3784
+ # @!attribute [rw] next_token
3785
+ # When you request a list of objects with a `MaxResults` setting, if
3786
+ # the number of objects that are still available for retrieval exceeds
3787
+ # the maximum you requested, Network Firewall returns a `NextToken`
3788
+ # value in the response. To retrieve the next batch of objects, use
3789
+ # the token returned from the prior request in your next request.
3790
+ # @return [String]
3791
+ #
3792
+ # @!attribute [rw] max_results
3793
+ # The maximum number of objects that you want Network Firewall to
3794
+ # return for this request. If more objects are available, in the
3795
+ # response, Network Firewall provides a `NextToken` value that you can
3796
+ # use in a subsequent call to get the next batch of objects.
3797
+ # @return [Integer]
3798
+ #
3799
+ # @!attribute [rw] firewall_arn
3800
+ # The Amazon Resource Name (ARN) of the firewall.
3801
+ #
3802
+ # If you don't specify this, Network Firewall retrieves all VPC
3803
+ # endpoint associations that you have defined.
3804
+ # @return [String]
3805
+ #
3806
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListVpcEndpointAssociationsRequest AWS API Documentation
3807
+ #
3808
+ class ListVpcEndpointAssociationsRequest < Struct.new(
3809
+ :next_token,
3810
+ :max_results,
3811
+ :firewall_arn)
3812
+ SENSITIVE = []
3813
+ include Aws::Structure
3814
+ end
3815
+
3816
+ # @!attribute [rw] next_token
3817
+ # When you request a list of objects with a `MaxResults` setting, if
3818
+ # the number of objects that are still available for retrieval exceeds
3819
+ # the maximum you requested, Network Firewall returns a `NextToken`
3820
+ # value in the response. To retrieve the next batch of objects, use
3821
+ # the token returned from the prior request in your next request.
3822
+ # @return [String]
3823
+ #
3824
+ # @!attribute [rw] vpc_endpoint_associations
3825
+ # The VPC endpoint assocation metadata objects for the firewall that
3826
+ # you specified. If you didn't specify a firewall, this is all VPC
3827
+ # endpoint associations that you have defined.
3828
+ #
3829
+ # Depending on your setting for max results and the number of
3830
+ # firewalls you have, a single call might not be the full list.
3831
+ # @return [Array<Types::VpcEndpointAssociationMetadata>]
3832
+ #
3833
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListVpcEndpointAssociationsResponse AWS API Documentation
3834
+ #
3835
+ class ListVpcEndpointAssociationsResponse < Struct.new(
3836
+ :next_token,
3837
+ :vpc_endpoint_associations)
3838
+ SENSITIVE = []
3839
+ include Aws::Structure
3840
+ end
3841
+
3443
3842
  # Defines where Network Firewall sends logs for the firewall for one log
3444
3843
  # type. This is used in LoggingConfiguration. You can send each type of
3445
3844
  # log to an Amazon S3 bucket, a CloudWatch log group, or a Firehose
@@ -3702,13 +4101,13 @@ module Aws::NetworkFirewall
3702
4101
 
3703
4102
  # @!attribute [rw] resource_arn
3704
4103
  # The Amazon Resource Name (ARN) of the account that you want to share
3705
- # rule groups and firewall policies with.
4104
+ # your Network Firewall resources with.
3706
4105
  # @return [String]
3707
4106
  #
3708
4107
  # @!attribute [rw] policy
3709
4108
  # The IAM policy statement that lists the accounts that you want to
3710
- # share your rule group or firewall policy with and the operations
3711
- # that you want the accounts to be able to perform.
4109
+ # share your Network Firewall resources with and the operations that
4110
+ # you want the accounts to be able to perform.
3712
4111
  #
3713
4112
  # For a rule group resource, you can specify the following operations
3714
4113
  # in the Actions section of the statement:
@@ -3726,9 +4125,18 @@ module Aws::NetworkFirewall
3726
4125
  #
3727
4126
  # * network-firewall:ListFirewallPolicies
3728
4127
  #
4128
+ # For a firewall resource, you can specify the following operations in
4129
+ # the Actions section of the statement:
4130
+ #
4131
+ # * network-firewall:CreateVpcEndpointAssociation
4132
+ #
4133
+ # * network-firewall:DescribeFirewallMetadata
4134
+ #
4135
+ # * network-firewall:ListFirewalls
4136
+ #
3729
4137
  # In the Resource section of the statement, you specify the ARNs for
3730
- # the rule groups and firewall policies that you want to share with
3731
- # the account that you specified in `Arn`.
4138
+ # the Network Firewall resources that you want to share with the
4139
+ # account that you specified in `Arn`.
3732
4140
  # @return [String]
3733
4141
  #
3734
4142
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/PutResourcePolicyRequest AWS API Documentation
@@ -4437,6 +4845,15 @@ module Aws::NetworkFirewall
4437
4845
  # configure a single flow operation.
4438
4846
  # @return [String]
4439
4847
  #
4848
+ # @!attribute [rw] vpc_endpoint_association_arn
4849
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
4850
+ # @return [String]
4851
+ #
4852
+ # @!attribute [rw] vpc_endpoint_id
4853
+ # A unique identifier for the primary endpoint associated with a
4854
+ # firewall.
4855
+ # @return [String]
4856
+ #
4440
4857
  # @!attribute [rw] minimum_flow_age_in_seconds
4441
4858
  # The reqested `FlowOperation` ignores flows with an age (in seconds)
4442
4859
  # lower than `MinimumFlowAgeInSeconds`. You provide this for start
@@ -4458,6 +4875,8 @@ module Aws::NetworkFirewall
4458
4875
  class StartFlowCaptureRequest < Struct.new(
4459
4876
  :firewall_arn,
4460
4877
  :availability_zone,
4878
+ :vpc_endpoint_association_arn,
4879
+ :vpc_endpoint_id,
4461
4880
  :minimum_flow_age_in_seconds,
4462
4881
  :flow_filters)
4463
4882
  SENSITIVE = []
@@ -4505,6 +4924,15 @@ module Aws::NetworkFirewall
4505
4924
  # configure a single flow operation.
4506
4925
  # @return [String]
4507
4926
  #
4927
+ # @!attribute [rw] vpc_endpoint_association_arn
4928
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
4929
+ # @return [String]
4930
+ #
4931
+ # @!attribute [rw] vpc_endpoint_id
4932
+ # A unique identifier for the primary endpoint associated with a
4933
+ # firewall.
4934
+ # @return [String]
4935
+ #
4508
4936
  # @!attribute [rw] minimum_flow_age_in_seconds
4509
4937
  # The reqested `FlowOperation` ignores flows with an age (in seconds)
4510
4938
  # lower than `MinimumFlowAgeInSeconds`. You provide this for start
@@ -4521,6 +4949,8 @@ module Aws::NetworkFirewall
4521
4949
  class StartFlowFlushRequest < Struct.new(
4522
4950
  :firewall_arn,
4523
4951
  :availability_zone,
4952
+ :vpc_endpoint_association_arn,
4953
+ :vpc_endpoint_id,
4524
4954
  :minimum_flow_age_in_seconds,
4525
4955
  :flow_filters)
4526
4956
  SENSITIVE = []
@@ -4845,10 +5275,11 @@ module Aws::NetworkFirewall
4845
5275
  include Aws::Structure
4846
5276
  end
4847
5277
 
4848
- # The ID for a subnet that you want to associate with the firewall. This
4849
- # is used with CreateFirewall and AssociateSubnets. Network Firewall
4850
- # creates an instance of the associated firewall in each subnet that you
4851
- # specify, to filter traffic in the subnet's Availability Zone.
5278
+ # The ID for a subnet that's used in an association with a firewall.
5279
+ # This is used in CreateFirewall, AssociateSubnets, and
5280
+ # CreateVpcEndpointAssociation. Network Firewall creates an instance of
5281
+ # the associated firewall in each subnet that you specify, to filter
5282
+ # traffic in the subnet's Availability Zone.
4852
5283
  #
4853
5284
  # @!attribute [rw] subnet_id
4854
5285
  # The unique identifier for the subnet.
@@ -4869,7 +5300,7 @@ module Aws::NetworkFirewall
4869
5300
  end
4870
5301
 
4871
5302
  # The status of the firewall endpoint and firewall policy configuration
4872
- # for a single VPC subnet.
5303
+ # for a single VPC subnet. This is part of the FirewallStatus.
4873
5304
  #
4874
5305
  # For each VPC subnet that you associate with a firewall, Network
4875
5306
  # Firewall does the following:
@@ -4886,11 +5317,10 @@ module Aws::NetworkFirewall
4886
5317
  # complete.
4887
5318
  #
4888
5319
  # @!attribute [rw] attachment
4889
- # The attachment status of the firewall's association with a single
4890
- # VPC subnet. For each configured subnet, Network Firewall creates the
4891
- # attachment by instantiating the firewall endpoint in the subnet so
4892
- # that it's ready to take traffic. This is part of the
4893
- # FirewallStatus.
5320
+ # The configuration and status for a single firewall subnet. For each
5321
+ # configured subnet, Network Firewall creates the attachment by
5322
+ # instantiating the firewall endpoint in the subnet so that it's
5323
+ # ready to take traffic.
4894
5324
  # @return [Types::Attachment]
4895
5325
  #
4896
5326
  # @!attribute [rw] config
@@ -4899,7 +5329,7 @@ module Aws::NetworkFirewall
4899
5329
  # are configured in the firewall policy. Each time you add a subnet or
4900
5330
  # modify the associated firewall policy, Network Firewall synchronizes
4901
5331
  # the rules in the endpoint, so it can properly filter network
4902
- # traffic. This is part of the FirewallStatus.
5332
+ # traffic.
4903
5333
  # @return [Hash<String,Types::PerObjectStatus>]
4904
5334
  #
4905
5335
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/SyncState AWS API Documentation
@@ -6230,6 +6660,139 @@ module Aws::NetworkFirewall
6230
6660
  include Aws::Structure
6231
6661
  end
6232
6662
 
6663
+ # A VPC endpoint association defines a single subnet to use for a
6664
+ # firewall endpoint for a `Firewall`. You can define VPC endpoint
6665
+ # associations only in the Availability Zones that already have a subnet
6666
+ # mapping defined in the `Firewall` resource.
6667
+ #
6668
+ # <note markdown="1"> You can retrieve the list of Availability Zones that are available for
6669
+ # use by calling `DescribeFirewallMetadata`.
6670
+ #
6671
+ # </note>
6672
+ #
6673
+ # To manage firewall endpoints, first, in the `Firewall` specification,
6674
+ # you specify a single VPC and one subnet for each of the Availability
6675
+ # Zones where you want to use the firewall. Then you can define
6676
+ # additional endpoints as VPC endpoint associations.
6677
+ #
6678
+ # You can use VPC endpoint associations to expand the protections of the
6679
+ # firewall as follows:
6680
+ #
6681
+ # * **Protect multiple VPCs with a single firewall** - You can use the
6682
+ # firewall to protect other VPCs, either in your account or in
6683
+ # accounts where the firewall is shared. You can only specify
6684
+ # Availability Zones that already have a firewall endpoint defined in
6685
+ # the `Firewall` subnet mappings.
6686
+ #
6687
+ # * **Define multiple firewall endpoints for a VPC in an Availability
6688
+ # Zone** - You can create additional firewall endpoints for the VPC
6689
+ # that you have defined in the firewall, in any Availability Zone that
6690
+ # already has an endpoint defined in the `Firewall` subnet mappings.
6691
+ # You can create multiple VPC endpoint associations for any other VPC
6692
+ # where you use the firewall.
6693
+ #
6694
+ # You can use Resource Access Manager to share a `Firewall` that you own
6695
+ # with other accounts, which gives them the ability to use the firewall
6696
+ # to create VPC endpoint associations. For information about sharing a
6697
+ # firewall, see `PutResourcePolicy` in this guide and see [Sharing
6698
+ # Network Firewall resources][1] in the *Network Firewall Developer
6699
+ # Guide*.
6700
+ #
6701
+ # The status of the VPC endpoint association, which indicates whether
6702
+ # it's ready to filter network traffic, is provided in the
6703
+ # corresponding VpcEndpointAssociationStatus. You can retrieve both the
6704
+ # association and its status by calling DescribeVpcEndpointAssociation.
6705
+ #
6706
+ #
6707
+ #
6708
+ # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/sharing.html
6709
+ #
6710
+ # @!attribute [rw] vpc_endpoint_association_id
6711
+ # The unique identifier of the VPC endpoint association.
6712
+ # @return [String]
6713
+ #
6714
+ # @!attribute [rw] vpc_endpoint_association_arn
6715
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
6716
+ # @return [String]
6717
+ #
6718
+ # @!attribute [rw] firewall_arn
6719
+ # The Amazon Resource Name (ARN) of the firewall.
6720
+ # @return [String]
6721
+ #
6722
+ # @!attribute [rw] vpc_id
6723
+ # The unique identifier of the VPC for the endpoint association.
6724
+ # @return [String]
6725
+ #
6726
+ # @!attribute [rw] subnet_mapping
6727
+ # The ID for a subnet that's used in an association with a firewall.
6728
+ # This is used in CreateFirewall, AssociateSubnets, and
6729
+ # CreateVpcEndpointAssociation. Network Firewall creates an instance
6730
+ # of the associated firewall in each subnet that you specify, to
6731
+ # filter traffic in the subnet's Availability Zone.
6732
+ # @return [Types::SubnetMapping]
6733
+ #
6734
+ # @!attribute [rw] description
6735
+ # A description of the VPC endpoint association.
6736
+ # @return [String]
6737
+ #
6738
+ # @!attribute [rw] tags
6739
+ # The key:value pairs to associate with the resource.
6740
+ # @return [Array<Types::Tag>]
6741
+ #
6742
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/VpcEndpointAssociation AWS API Documentation
6743
+ #
6744
+ class VpcEndpointAssociation < Struct.new(
6745
+ :vpc_endpoint_association_id,
6746
+ :vpc_endpoint_association_arn,
6747
+ :firewall_arn,
6748
+ :vpc_id,
6749
+ :subnet_mapping,
6750
+ :description,
6751
+ :tags)
6752
+ SENSITIVE = []
6753
+ include Aws::Structure
6754
+ end
6755
+
6756
+ # High-level information about a VPC endpoint association, returned by
6757
+ # `ListVpcEndpointAssociations`. You can use the information provided in
6758
+ # the metadata to retrieve and manage a VPC endpoint association.
6759
+ #
6760
+ # @!attribute [rw] vpc_endpoint_association_arn
6761
+ # The Amazon Resource Name (ARN) of a VPC endpoint association.
6762
+ # @return [String]
6763
+ #
6764
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/VpcEndpointAssociationMetadata AWS API Documentation
6765
+ #
6766
+ class VpcEndpointAssociationMetadata < Struct.new(
6767
+ :vpc_endpoint_association_arn)
6768
+ SENSITIVE = []
6769
+ include Aws::Structure
6770
+ end
6771
+
6772
+ # Detailed information about the current status of a
6773
+ # VpcEndpointAssociation. You can retrieve this by calling
6774
+ # DescribeVpcEndpointAssociation and providing the VPC endpoint
6775
+ # association ARN.
6776
+ #
6777
+ # @!attribute [rw] status
6778
+ # The readiness of the configured firewall endpoint to handle network
6779
+ # traffic.
6780
+ # @return [String]
6781
+ #
6782
+ # @!attribute [rw] association_sync_state
6783
+ # The list of the Availability Zone sync states for all subnets that
6784
+ # are defined by the firewall.
6785
+ # @return [Hash<String,Types::AZSyncState>]
6786
+ #
6787
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/VpcEndpointAssociationStatus AWS API Documentation
6788
+ #
6789
+ class VpcEndpointAssociationStatus < Struct.new(
6790
+ :status,
6791
+ :association_sync_state)
6792
+ SENSITIVE = []
6793
+ include Aws::Structure
6794
+ end
6795
+
6233
6796
  end
6234
6797
  end
6235
6798