aws-sdk-networkfirewall 1.68.0 → 1.69.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3eee9d2a57dd5d6a8a284d34c076da48a7383b475ac45ddeaf7e6135a891570
-  data.tar.gz: e31508218853da16869f7e09d999dc473d69660b2b049b2381dd3d58c700d5ba
+  metadata.gz: cad30eb0730be43dba55f8f37ee7f37fa6154e60acc8b8169a6abf148b9166f2
+  data.tar.gz: adeec5b752ae386788194748430a990bda96946b679ce8fdc85d430547d7946d
 SHA512:
-  metadata.gz: 6e31b196d4f37c74ee591bb1cd61743f8afbba3377c84ba7ae6bb02d1f5cf33c9fa13bba434c7145f7902faccaf2d142513356d022afda58baeedd19c70c0603
-  data.tar.gz: 4377e6ceff9970632bdd6734c25dd2d361bc69eb7776282073ceded64d95711a646c4a50de0bf7a52ae1b5fd852fb34919773d49cee2f23d5b312d594a05b02d
+  metadata.gz: 6af62b765cd8c67599e28c6ad31fc0094c86719a7b7c7b172f94eec21fc8a7448c35426174910fe03964c7b6b540994d397fa8f439b5795e4107684d2e0254c4
+  data.tar.gz: 8e076917fc63035dc0ad614b042dd0b07e68005170f1f22d8b578111517a51e16cef815b77044aea543108d413d766ffeaf2ee0ae2aac5b264775e1c7b9b5f30

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.69.0 (2025-06-16)
+------------------
+
+* Feature - You can now create firewalls using a Transit Gateway instead of a VPC, resulting in a TGW attachment.
+
 1.68.0 (2025-06-04)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.68.0
+1.69.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -476,6 +476,135 @@ module Aws::NetworkFirewall
 
     # @!group API Operations
 
+    # Accepts a transit gateway attachment request for Network Firewall.
+    # When you accept the attachment request, Network Firewall creates the
+    # necessary routing components to enable traffic flow between the
+    # transit gateway and firewall endpoints.
+    #
+    # You must accept a transit gateway attachment to complete the creation
+    # of a transit gateway-attached firewall, unless auto-accept is enabled
+    # on the transit gateway. After acceptance, use DescribeFirewall to
+    # verify the firewall status.
+    #
+    # To reject an attachment instead of accepting it, use
+    # RejectNetworkFirewallTransitGatewayAttachment.
+    #
+    # <note markdown="1"> It can take several minutes for the attachment acceptance to complete
+    # and the firewall to become available.
+    #
+    #  </note>
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   accept. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #
+    # @return [Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::AcceptNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.accept_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AcceptNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload accept_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def accept_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:accept_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
+    # Associates the specified Availability Zones with a transit
+    # gateway-attached firewall. For each Availability Zone, Network
+    # Firewall creates a firewall endpoint to process traffic. You can
+    # specify one or more Availability Zones where you want to deploy the
+    # firewall.
+    #
+    # After adding Availability Zones, you must update your transit gateway
+    # route tables to direct traffic through the new firewall endpoints. Use
+    # DescribeFirewall to monitor the status of the new endpoints.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints. You must specify at least one Availability Zone.
+    #
+    # @return [Types::AssociateAvailabilityZonesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssociateAvailabilityZonesResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::AssociateAvailabilityZonesResponse#firewall_name #firewall_name} => String
+    #   * {Types::AssociateAvailabilityZonesResponse#availability_zone_mappings #availability_zone_mappings} => Array&lt;Types::AvailabilityZoneMapping&gt;
+    #   * {Types::AssociateAvailabilityZonesResponse#update_token #update_token} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.associate_availability_zones({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_mappings: [ # required
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_mappings #=> Array
+    #   resp.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.update_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AssociateAvailabilityZones AWS API Documentation
+    #
+    # @overload associate_availability_zones(params = {})
+    # @param [Hash] params ({})
+    def associate_availability_zones(params = {}, options = {})
+      req = build_request(:associate_availability_zones, params)
+      req.send_request(options)
+    end
+
     # Associates a FirewallPolicy to a Firewall.
     #
     # A firewall policy defines how to monitor and manage your VPC network
@@ -711,6 +840,46 @@ module Aws::NetworkFirewall
     #   An optional setting indicating the specific traffic analysis types to
     #   enable on the firewall.
     #
+    # @option params [String] :transit_gateway_id
+    #   Required when creating a transit gateway-attached firewall. The unique
+    #   identifier of the transit gateway to attach to this firewall. You can
+    #   provide either a transit gateway from your account or one that has
+    #   been shared with you through Resource Access Manager.
+    #
+    #   After creating the firewall, you cannot change the transit gateway
+    #   association. To use a different transit gateway, you must create a new
+    #   firewall.
+    #
+    #   For information about creating firewalls, see CreateFirewall. For
+    #   specific guidance about transit gateway-attached firewalls, see
+    #   [Considerations for transit gateway-attached firewalls][1] in the
+    #   *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tgw-firewall-considerations.html
+    #
+    # @option params [Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints for a transit gateway-attached firewall. You must specify at
+    #   least one Availability Zone. Consider enabling the firewall in every
+    #   Availability Zone where you have workloads to maintain Availability
+    #   Zone independence.
+    #
+    #   You can modify Availability Zones later using
+    #   AssociateAvailabilityZones or DisassociateAvailabilityZones, but this
+    #   may briefly disrupt traffic. The `AvailabilityZoneChangeProtection`
+    #   setting controls whether you can make these modifications.
+    #
+    # @option params [Boolean] :availability_zone_change_protection
+    #   Optional. A setting indicating whether the firewall is protected
+    #   against changes to its Availability Zone configuration. When set to
+    #   `TRUE`, you cannot add or remove Availability Zones without first
+    #   disabling this protection using
+    #   UpdateAvailabilityZoneChangeProtection.
+    #
+    #   Default value: `FALSE`
+    #
     # @return [Types::CreateFirewallResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateFirewallResponse#firewall #firewall} => Types::Firewall
@@ -743,6 +912,13 @@ module Aws::NetworkFirewall
     #       type: "CUSTOMER_KMS", # required, accepts CUSTOMER_KMS, AWS_OWNED_KMS_KEY
     #     },
     #     enabled_analysis_types: ["TLS_SNI"], # accepts TLS_SNI, HTTP_HOST
+    #     transit_gateway_id: "TransitGatewayId",
+    #     availability_zone_mappings: [
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #     availability_zone_change_protection: false,
     #   })
     #
     # @example Response structure
@@ -767,6 +943,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -781,6 +962,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateFirewall AWS API Documentation
     #
@@ -1094,7 +1278,7 @@ module Aws::NetworkFirewall
     #           {
     #             action: "PASS", # required, accepts PASS, DROP, ALERT, REJECT
     #             header: { # required
-    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP
+    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP, HTTP2, QUIC
     #               source: "Source", # required
     #               source_port: "Port", # required
     #               direction: "FORWARD", # required, accepts FORWARD, ANY
@@ -1544,6 +1728,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -1558,6 +1747,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteFirewall AWS API Documentation
     #
@@ -1618,6 +1810,45 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Deletes a transit gateway attachment from a Network Firewall. Either
+    # the firewall owner or the transit gateway owner can delete the
+    # attachment.
+    #
+    # After you delete a transit gateway attachment, traffic will no longer
+    # flow through the firewall endpoints.
+    #
+    # After you initiate the delete operation, use DescribeFirewall to
+    # monitor the deletion status.
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   delete.
+    #
+    # @return [Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::DeleteNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload delete_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def delete_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:delete_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
     # Deletes a resource policy that you created in a PutResourcePolicy
     # request.
     #
@@ -1871,6 +2102,11 @@ module Aws::NetworkFirewall
     #   resp.firewall.number_of_associations #=> Integer
     #   resp.firewall.enabled_analysis_types #=> Array
     #   resp.firewall.enabled_analysis_types[0] #=> String, one of "TLS_SNI", "HTTP_HOST"
+    #   resp.firewall.transit_gateway_id #=> String
+    #   resp.firewall.transit_gateway_owner_account_id #=> String
+    #   resp.firewall.availability_zone_mappings #=> Array
+    #   resp.firewall.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.firewall.availability_zone_change_protection #=> Boolean
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
@@ -1885,6 +2121,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
     #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.attachment_id #=> String
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #   resp.firewall_status.transit_gateway_attachment_sync_state.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewall AWS API Documentation
     #
@@ -1908,6 +2147,7 @@ module Aws::NetworkFirewall
     #   * {Types::DescribeFirewallMetadataResponse#description #description} => String
     #   * {Types::DescribeFirewallMetadataResponse#status #status} => String
     #   * {Types::DescribeFirewallMetadataResponse#supported_availability_zones #supported_availability_zones} => Hash&lt;String,Types::AvailabilityZoneMetadata&gt;
+    #   * {Types::DescribeFirewallMetadataResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
     #
     # @example Request syntax with placeholder values
     #
@@ -1923,6 +2163,7 @@ module Aws::NetworkFirewall
     #   resp.status #=> String, one of "PROVISIONING", "DELETING", "READY"
     #   resp.supported_availability_zones #=> Hash
     #   resp.supported_availability_zones["AvailabilityZone"].ip_address_type #=> String, one of "DUALSTACK", "IPV4", "IPV6"
+    #   resp.transit_gateway_attachment_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallMetadata AWS API Documentation
     #
@@ -2223,7 +2464,7 @@ module Aws::NetworkFirewall
     #   resp.rule_group.rules_source.rules_source_list.generated_rules_type #=> String, one of "ALLOWLIST", "DENYLIST"
     #   resp.rule_group.rules_source.stateful_rules #=> Array
     #   resp.rule_group.rules_source.stateful_rules[0].action #=> String, one of "PASS", "DROP", "ALERT", "REJECT"
-    #   resp.rule_group.rules_source.stateful_rules[0].header.protocol #=> String, one of "IP", "TCP", "UDP", "ICMP", "HTTP", "FTP", "TLS", "SMB", "DNS", "DCERPC", "SSH", "SMTP", "IMAP", "MSN", "KRB5", "IKEV2", "TFTP", "NTP", "DHCP"
+    #   resp.rule_group.rules_source.stateful_rules[0].header.protocol #=> String, one of "IP", "TCP", "UDP", "ICMP", "HTTP", "FTP", "TLS", "SMB", "DNS", "DCERPC", "SSH", "SMTP", "IMAP", "MSN", "KRB5", "IKEV2", "TFTP", "NTP", "DHCP", "HTTP2", "QUIC"
     #   resp.rule_group.rules_source.stateful_rules[0].header.source #=> String
     #   resp.rule_group.rules_source.stateful_rules[0].header.source_port #=> String
     #   resp.rule_group.rules_source.stateful_rules[0].header.direction #=> String, one of "FORWARD", "ANY"
@@ -2480,6 +2721,91 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Removes the specified Availability Zone associations from a transit
+    # gateway-attached firewall. This removes the firewall endpoints from
+    # these Availability Zones and stops traffic filtering in those zones.
+    # Before removing an Availability Zone, ensure you've updated your
+    # transit gateway route tables to redirect traffic appropriately.
+    #
+    # <note markdown="1"> If `AvailabilityZoneChangeProtection` is enabled, you must first
+    # disable it using UpdateAvailabilityZoneChangeProtection.
+    #
+    #  </note>
+    #
+    # To verify the status of your Availability Zone changes, use
+    # DescribeFirewall.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Array<Types::AvailabilityZoneMapping>] :availability_zone_mappings
+    #   Required. The Availability Zones to remove from the firewall's
+    #   configuration.
+    #
+    # @return [Types::DisassociateAvailabilityZonesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DisassociateAvailabilityZonesResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::DisassociateAvailabilityZonesResponse#firewall_name #firewall_name} => String
+    #   * {Types::DisassociateAvailabilityZonesResponse#availability_zone_mappings #availability_zone_mappings} => Array&lt;Types::AvailabilityZoneMapping&gt;
+    #   * {Types::DisassociateAvailabilityZonesResponse#update_token #update_token} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.disassociate_availability_zones({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_mappings: [ # required
+    #       {
+    #         availability_zone: "AvailabilityZoneMappingString", # required
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_mappings #=> Array
+    #   resp.availability_zone_mappings[0].availability_zone #=> String
+    #   resp.update_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DisassociateAvailabilityZones AWS API Documentation
+    #
+    # @overload disassociate_availability_zones(params = {})
+    # @param [Hash] params ({})
+    def disassociate_availability_zones(params = {}, options = {})
+      req = build_request(:disassociate_availability_zones, params)
+      req.send_request(options)
+    end
+
     # Removes the specified subnet associations from the firewall. This
     # removes the firewall endpoints from the subnets and removes any
     # network filtering protections that the endpoints were providing.
@@ -2785,6 +3111,7 @@ module Aws::NetworkFirewall
     #   resp.firewalls #=> Array
     #   resp.firewalls[0].firewall_name #=> String
     #   resp.firewalls[0].firewall_arn #=> String
+    #   resp.firewalls[0].transit_gateway_attachment_id #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListFirewalls AWS API Documentation
     #
@@ -3298,6 +3625,54 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Rejects a transit gateway attachment request for Network Firewall.
+    # When you reject the attachment request, Network Firewall cancels the
+    # creation of routing components between the transit gateway and
+    # firewall endpoints.
+    #
+    # Only the transit gateway owner can reject the attachment. After
+    # rejection, no traffic will flow through the firewall endpoints for
+    # this attachment.
+    #
+    # Use DescribeFirewall to monitor the rejection status. To accept the
+    # attachment instead of rejecting it, use
+    # AcceptNetworkFirewallTransitGatewayAttachment.
+    #
+    # <note markdown="1"> Once rejected, you cannot reverse this action. To establish
+    # connectivity, you must create a new transit gateway-attached firewall.
+    #
+    #  </note>
+    #
+    # @option params [required, String] :transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   reject. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #
+    # @return [Types::RejectNetworkFirewallTransitGatewayAttachmentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::RejectNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_id #transit_gateway_attachment_id} => String
+    #   * {Types::RejectNetworkFirewallTransitGatewayAttachmentResponse#transit_gateway_attachment_status #transit_gateway_attachment_status} => String
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.reject_network_firewall_transit_gateway_attachment({
+    #     transit_gateway_attachment_id: "TransitGatewayAttachmentId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.transit_gateway_attachment_id #=> String
+    #   resp.transit_gateway_attachment_status #=> String, one of "CREATING", "DELETING", "DELETED", "FAILED", "ERROR", "READY", "PENDING_ACCEPTANCE", "REJECTING", "REJECTED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RejectNetworkFirewallTransitGatewayAttachment AWS API Documentation
+    #
+    # @overload reject_network_firewall_transit_gateway_attachment(params = {})
+    # @param [Hash] params ({})
+    def reject_network_firewall_transit_gateway_attachment(params = {}, options = {})
+      req = build_request(:reject_network_firewall_transit_gateway_attachment, params)
+      req.send_request(options)
+    end
+
     # Generates a traffic analysis report for the timeframe and traffic type
     # you specify.
     #
@@ -3588,6 +3963,85 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Modifies the `AvailabilityZoneChangeProtection` setting for a transit
+    # gateway-attached firewall. When enabled, this setting prevents
+    # accidental changes to the firewall's Availability Zone configuration.
+    # This helps protect against disrupting traffic flow in production
+    # environments.
+    #
+    # When enabled, you must disable this protection before using
+    # AssociateAvailabilityZones or DisassociateAvailabilityZones to modify
+    # the firewall's Availability Zone configuration.
+    #
+    # @option params [String] :update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of the
+    #   request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs your
+    #   updates regardless of whether the firewall has changed since you last
+    #   retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If this
+    #   happens, retrieve the firewall again to get a current copy of it with
+    #   a new token. Reapply your changes as needed, then try the operation
+    #   again using the new token.
+    #
+    # @option params [String] :firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :firewall_name
+    #   The descriptive name of the firewall. You can't change the name of a
+    #   firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [required, Boolean] :availability_zone_change_protection
+    #   A setting indicating whether the firewall is protected against changes
+    #   to the subnet associations. Use this setting to protect against
+    #   accidentally modifying the subnet associations for a firewall that is
+    #   in use. When you create a firewall, the operation initializes this
+    #   setting to `TRUE`.
+    #
+    # @return [Types::UpdateAvailabilityZoneChangeProtectionResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#update_token #update_token} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#firewall_arn #firewall_arn} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#firewall_name #firewall_name} => String
+    #   * {Types::UpdateAvailabilityZoneChangeProtectionResponse#availability_zone_change_protection #availability_zone_change_protection} => Boolean
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.update_availability_zone_change_protection({
+    #     update_token: "UpdateToken",
+    #     firewall_arn: "ResourceArn",
+    #     firewall_name: "ResourceName",
+    #     availability_zone_change_protection: false, # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.update_token #=> String
+    #   resp.firewall_arn #=> String
+    #   resp.firewall_name #=> String
+    #   resp.availability_zone_change_protection #=> Boolean
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateAvailabilityZoneChangeProtection AWS API Documentation
+    #
+    # @overload update_availability_zone_change_protection(params = {})
+    # @param [Hash] params ({})
+    def update_availability_zone_change_protection(params = {}, options = {})
+      req = build_request(:update_availability_zone_change_protection, params)
+      req.send_request(options)
+    end
+
     # Enables specific types of firewall analysis on a specific firewall you
     # define.
     #
@@ -4345,7 +4799,7 @@ module Aws::NetworkFirewall
     #           {
     #             action: "PASS", # required, accepts PASS, DROP, ALERT, REJECT
     #             header: { # required
-    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP
+    #               protocol: "IP", # required, accepts IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP, HTTP2, QUIC
     #               source: "Source", # required
     #               source_port: "Port", # required
     #               direction: "FORWARD", # required, accepts FORWARD, ANY
@@ -4717,7 +5171,7 @@ module Aws::NetworkFirewall
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.68.0'
+      context[:gem_version] = '1.69.0'
       Seahorse::Client::Request.new(handlers, context)
     end