npm - @aws-sdk/client-network-firewall - Versions diffs - 3.826.0 → 3.830.0 - Mend

@aws-sdk/client-network-firewall 3.826.0 → 3.830.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -1,5 +1,153 @@
 import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client";
 import { NetworkFirewallServiceException as __BaseException } from "./NetworkFirewallServiceException";
+/**
+ * @public
+ */
+export interface AcceptNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to accept. This ID is returned in the response when creating a transit gateway-attached firewall.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const TransitGatewayAttachmentStatus: {
+    readonly CREATING: "CREATING";
+    readonly DELETED: "DELETED";
+    readonly DELETING: "DELETING";
+    readonly ERROR: "ERROR";
+    readonly FAILED: "FAILED";
+    readonly PENDING_ACCEPTANCE: "PENDING_ACCEPTANCE";
+    readonly READY: "READY";
+    readonly REJECTED: "REJECTED";
+    readonly REJECTING: "REJECTING";
+};
+/**
+ * @public
+ */
+export type TransitGatewayAttachmentStatus = (typeof TransitGatewayAttachmentStatus)[keyof typeof TransitGatewayAttachmentStatus];
+/**
+ * @public
+ */
+export interface AcceptNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The unique identifier of the transit gateway attachment that was accepted.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment. Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
+/**
+ * <p>Your request is valid, but Network Firewall couldn't perform the operation because of a
+ *          system problem. Retry your request. </p>
+ * @public
+ */
+export declare class InternalServerError extends __BaseException {
+    readonly name: "InternalServerError";
+    readonly $fault: "server";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<InternalServerError, __BaseException>);
+}
+/**
+ * <p>The operation failed because of a problem with your request. Examples include: </p>
+ *          <ul>
+ *             <li>
+ *                <p>You specified an unsupported parameter name or value.</p>
+ *             </li>
+ *             <li>
+ *                <p>You tried to update a property with a value that isn't among the available
+ *                types.</p>
+ *             </li>
+ *             <li>
+ *                <p>Your request references an ARN that is malformed, or corresponds to a resource
+ *                that isn't valid in the context of the request.</p>
+ *             </li>
+ *          </ul>
+ * @public
+ */
+export declare class InvalidRequestException extends __BaseException {
+    readonly name: "InvalidRequestException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<InvalidRequestException, __BaseException>);
+}
+/**
+ * <p>Unable to locate a resource using the parameters that you provided.</p>
+ * @public
+ */
+export declare class ResourceNotFoundException extends __BaseException {
+    readonly name: "ResourceNotFoundException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>);
+}
+/**
+ * <p>Unable to process the request due to throttling limitations.</p>
+ * @public
+ */
+export declare class ThrottlingException extends __BaseException {
+    readonly name: "ThrottlingException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ThrottlingException, __BaseException>);
+}
 /**
  * <p>The value to use in an Amazon CloudWatch custom metric dimension. This is used in the
  *             <code>PublishMetrics</code>
@@ -47,8 +195,7 @@ export interface ActionDefinition {
     PublishMetricAction?: PublishMetricAction | undefined;
 }
 /**
- * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
- *          source and destination specifications.</p>
+ * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
  * @public
  */
 export interface Address {
@@ -234,9 +381,21 @@ export interface AnalysisResult {
     AnalysisDetail?: string | undefined;
 }
 /**
+ * <p>Defines the mapping between an Availability Zone and a firewall endpoint for a transit gateway-attached firewall. Each mapping represents where the firewall can process traffic. You use these mappings when calling <a>CreateFirewall</a>, <a>AssociateAvailabilityZones</a>, and <a>DisassociateAvailabilityZones</a>.</p>
+ *          <p>To retrieve the current Availability Zone mappings for a firewall, use <a>DescribeFirewall</a>.</p>
  * @public
  */
-export interface AssociateFirewallPolicyRequest {
+export interface AvailabilityZoneMapping {
+    /**
+     * <p>The ID of the Availability Zone where the firewall endpoint is located. For example, <code>us-east-2a</code>. The Availability Zone must be in the same Region as the transit gateway.</p>
+     * @public
+     */
+    AvailabilityZone: string | undefined;
+}
+/**
+ * @public
+ */
+export interface AssociateAvailabilityZonesRequest {
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -257,15 +416,15 @@ export interface AssociateFirewallPolicyRequest {
      */
     FirewallName?: string | undefined;
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * <p>Required. The Availability Zones where you want to create firewall endpoints. You must specify at least one Availability Zone.</p>
      * @public
      */
-    FirewallPolicyArn: string | undefined;
+    AvailabilityZoneMappings: AvailabilityZoneMapping[] | undefined;
 }
 /**
  * @public
  */
-export interface AssociateFirewallPolicyResponse {
+export interface AssociateAvailabilityZonesResponse {
     /**
      * <p>The Amazon Resource Name (ARN) of the firewall.</p>
      * @public
@@ -277,10 +436,10 @@ export interface AssociateFirewallPolicyResponse {
      */
     FirewallName?: string | undefined;
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * <p>The Availability Zones where Network Firewall created firewall endpoints. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>
      * @public
      */
-    FirewallPolicyArn?: string | undefined;
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -290,18 +449,18 @@ export interface AssociateFirewallPolicyResponse {
     UpdateToken?: string | undefined;
 }
 /**
- * <p>Your request is valid, but Network Firewall couldn't perform the operation because of a
- *          system problem. Retry your request. </p>
+ * <p>Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your
+ *          request later. </p>
  * @public
  */
-export declare class InternalServerError extends __BaseException {
-    readonly name: "InternalServerError";
+export declare class InsufficientCapacityException extends __BaseException {
+    readonly name: "InsufficientCapacityException";
     readonly $fault: "server";
     Message?: string | undefined;
     /**
      * @internal
      */
-    constructor(opts: __ExceptionOptionType<InternalServerError, __BaseException>);
+    constructor(opts: __ExceptionOptionType<InsufficientCapacityException, __BaseException>);
 }
 /**
  * <p>The operation failed because it's not valid. For example, you might have tried to delete
@@ -317,32 +476,6 @@ export declare class InvalidOperationException extends __BaseException {
      */
     constructor(opts: __ExceptionOptionType<InvalidOperationException, __BaseException>);
 }
-/**
- * <p>The operation failed because of a problem with your request. Examples include: </p>
- *          <ul>
- *             <li>
- *                <p>You specified an unsupported parameter name or value.</p>
- *             </li>
- *             <li>
- *                <p>You tried to update a property with a value that isn't among the available
- *                types.</p>
- *             </li>
- *             <li>
- *                <p>Your request references an ARN that is malformed, or corresponds to a resource
- *                that isn't valid in the context of the request.</p>
- *             </li>
- *          </ul>
- * @public
- */
-export declare class InvalidRequestException extends __BaseException {
-    readonly name: "InvalidRequestException";
-    readonly $fault: "client";
-    Message?: string | undefined;
-    /**
-     * @internal
-     */
-    constructor(opts: __ExceptionOptionType<InvalidRequestException, __BaseException>);
-}
 /**
  * <p>The token you provided is stale or isn't valid for the operation. </p>
  * @public
@@ -357,30 +490,60 @@ export declare class InvalidTokenException extends __BaseException {
     constructor(opts: __ExceptionOptionType<InvalidTokenException, __BaseException>);
 }
 /**
- * <p>Unable to locate a resource using the parameters that you provided.</p>
  * @public
  */
-export declare class ResourceNotFoundException extends __BaseException {
-    readonly name: "ResourceNotFoundException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface AssociateFirewallPolicyRequest {
     /**
-     * @internal
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>);
+    UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * @public
+     */
+    FirewallPolicyArn: string | undefined;
 }
 /**
- * <p>Unable to process the request due to throttling limitations.</p>
  * @public
  */
-export declare class ThrottlingException extends __BaseException {
-    readonly name: "ThrottlingException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface AssociateFirewallPolicyResponse {
     /**
-     * @internal
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ThrottlingException, __BaseException>);
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * @public
+     */
+    FirewallPolicyArn?: string | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public
@@ -470,20 +633,6 @@ export interface AssociateSubnetsResponse {
      */
     UpdateToken?: string | undefined;
 }
-/**
- * <p>Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your
- *          request later. </p>
- * @public
- */
-export declare class InsufficientCapacityException extends __BaseException {
-    readonly name: "InsufficientCapacityException";
-    readonly $fault: "server";
-    Message?: string | undefined;
-    /**
-     * @internal
-     */
-    constructor(opts: __ExceptionOptionType<InsufficientCapacityException, __BaseException>);
-}
 /**
  * @public
  * @enum
@@ -535,7 +684,9 @@ export interface Attachment {
      */
     Status?: AttachmentStatus | undefined;
     /**
-     * <p>If Network Firewall fails to create or delete the firewall endpoint in the subnet, it populates this with the reason for the error or failure and how to resolve it. A <code>FAILED</code> status indicates a non-recoverable state, and a <code>ERROR</code> status indicates an issue that you can fix. Depending on the error, it can take as many as 15 minutes to populate this field. For more information about the causes for failiure or errors and solutions available for this field, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * <p>If Network Firewall fails to create or delete the firewall endpoint in the subnet, it populates this with the reason for the error or failure and how to resolve it.
+     *          A <code>FAILED</code> status indicates a non-recoverable state, and a <code>ERROR</code> status indicates an issue that you can fix.
+     *          Depending on the error, it can take as many as 15 minutes to populate this field. For more information about the causes for failiure or errors and solutions available for this field, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
      * @public
      */
     StatusMessage?: string | undefined;
@@ -830,6 +981,28 @@ export interface CreateFirewallRequest {
      * @public
      */
     EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    /**
+     * <p>Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through Resource Access Manager.</p>
+     *          <important>
+     *             <p>After creating the firewall, you cannot change the transit gateway association. To use a different transit gateway, you must create a new firewall.</p>
+     *          </important>
+     *          <p>For information about creating firewalls, see <a>CreateFirewall</a>. For specific guidance about transit gateway-attached firewalls, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tgw-firewall-considerations.html">Considerations for transit gateway-attached firewalls</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    TransitGatewayId?: string | undefined;
+    /**
+     * <p>Required. The Availability Zones where you want to create firewall endpoints for a transit gateway-attached firewall. You must specify at least one Availability Zone. Consider enabling the firewall in every Availability Zone where you have workloads to maintain Availability Zone independence.</p>
+     *          <p>You can modify Availability Zones later using <a>AssociateAvailabilityZones</a> or <a>DisassociateAvailabilityZones</a>, but this may briefly disrupt traffic. The <code>AvailabilityZoneChangeProtection</code> setting controls whether you can make these modifications.</p>
+     * @public
+     */
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
+    /**
+     * <p>Optional. A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to <code>TRUE</code>, you cannot add or remove Availability Zones without first disabling this protection using <a>UpdateAvailabilityZoneChangeProtection</a>.</p>
+     *          <p>Default value: <code>FALSE</code>
+     *          </p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * <p>A firewall defines the behavior of a firewall, the main VPC where the firewall is used, the Availability Zones where the firewall can be used, and one subnet to use for a firewall endpoint within each of the Availability Zones. The Availability Zones are defined implicitly in the subnet specifications.</p>
@@ -921,6 +1094,26 @@ export interface Firewall {
      * @public
      */
     EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    /**
+     * <p>The unique identifier of the transit gateway associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
+     * @public
+     */
+    TransitGatewayId?: string | undefined;
+    /**
+     * <p>The Amazon Web Services account ID that owns the transit gateway. This may be different from the firewall owner's account ID when using a shared transit gateway.</p>
+     * @public
+     */
+    TransitGatewayOwnerAccountId?: string | undefined;
+    /**
+     * <p>The Availability Zones where the firewall endpoints are created for a transit gateway-attached firewall. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>
+     * @public
+     */
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
+    /**
+     * <p>A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to <code>TRUE</code>, you must first disable this protection before adding or removing Availability Zones.</p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * @public
@@ -1001,7 +1194,107 @@ export interface SyncState {
      *           rules in the endpoint, so it can properly filter network traffic. </p>
      * @public
      */
-    Config?: Record<string, PerObjectStatus> | undefined;
+    Config?: Record<string, PerObjectStatus> | undefined;
+}
+/**
+ * <p>Contains information about the synchronization state of a transit gateway attachment, including its current status and any error messages. Network Firewall uses this to track the state of your transit gateway configuration changes.</p>
+ * @public
+ */
+export interface TransitGatewayAttachmentSyncState {
+    /**
+     * <p>The unique identifier of the transit gateway attachment.</p>
+     * @public
+     */
+    AttachmentId?: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus?: TransitGatewayAttachmentStatus | undefined;
+    /**
+     * <p>A message providing additional information about the current status, particularly useful when the transit gateway attachment is in a non-<code>READY</code> state.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     *          <p>For information about troubleshooting endpoint failures, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    StatusMessage?: string | undefined;
 }
 /**
  * <p>Detailed information about the current status of a <a>Firewall</a>. You can retrieve this for a firewall by calling <a>DescribeFirewall</a> and providing the firewall name and ARN.</p>
@@ -1045,6 +1338,11 @@ export interface FirewallStatus {
      * @public
      */
     CapacityUsageSummary?: CapacityUsageSummary | undefined;
+    /**
+     * <p>The synchronization state of the transit gateway attachment. This indicates whether the firewall's transit gateway configuration is properly synchronized and operational. Use this to verify that your transit gateway configuration changes have been applied.</p>
+     * @public
+     */
+    TransitGatewayAttachmentSyncState?: TransitGatewayAttachmentSyncState | undefined;
 }
 /**
  * @public
@@ -1148,9 +1446,15 @@ export type StreamExceptionPolicy = (typeof StreamExceptionPolicy)[keyof typeof
  */
 export interface StatefulEngineOptions {
     /**
-     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>STRICT_ORDER</code> is
-     *          the default and recommended option. With <code>STRICT_ORDER</code>, provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose <code>STRICT_ORDER</code> to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is <code>PASS</code>, followed by <code>DROP</code>, <code>REJECT</code>, and <code>ALERT</code> actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them
-     *          based on your settings. For more information, see
+     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>STRICT_ORDER</code> is the
+     *          recommended option, but <code>DEFAULT_ACTION_ORDER</code> is the default option.
+     *          With <code>STRICT_ORDER</code>, provide your rules in the order that you want them to be evaluated.
+     *          You can then choose one or more default actions for packets that don't match any rules.
+     *          Choose <code>STRICT_ORDER</code> to have the stateful rules engine determine the evaluation order of your rules.
+     *          The default action for this rule order is
+     *          <code>PASS</code>, followed by <code>DROP</code>, <code>REJECT</code>, and <code>ALERT</code> actions.
+     *          Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings.
+     *          For more information, see
      *          <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html">Evaluation order for stateful rules</a> in the <i>Network Firewall Developer Guide</i>.
      *       </p>
      * @public
@@ -1642,12 +1946,14 @@ export declare const StatefulRuleProtocol: {
     readonly DNS: "DNS";
     readonly FTP: "FTP";
     readonly HTTP: "HTTP";
+    readonly HTTP2: "HTTP2";
     readonly ICMP: "ICMP";
     readonly IKEV2: "IKEV2";
     readonly IMAP: "IMAP";
     readonly KRB5: "KRB5";
     readonly MSN: "MSN";
     readonly NTP: "NTP";
+    readonly QUIC: "QUIC";
     readonly SMB: "SMB";
     readonly SMTP: "SMTP";
     readonly SSH: "SSH";
@@ -2077,7 +2383,7 @@ export interface PortSet {
 }
 /**
  * <p>Settings that are available for use in the rules in the <a>RuleGroup</a>
- *          where this is defined. </p>
+ *          where this is defined. See <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a> for usage.</p>
  * @public
  */
 export interface RuleVariables {
@@ -2358,7 +2664,7 @@ export interface RuleGroupResponse {
      */
     SourceMetadata?: SourceMetadata | undefined;
     /**
-     * <p>The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that's
+     * <p>The Amazon Resource Name (ARN) of the Amazon Simple Notification Service SNS topic that's
      * used to record changes to the managed rule group. You can subscribe to the SNS topic to receive
      * notifications when the managed rule group is modified, such as for new versions and for version
      * expiration. For more information, see the <a href="https://docs.aws.amazon.com/sns/latest/dg/welcome.html">Amazon Simple Notification Service Developer Guide.</a>.</p>
@@ -2469,7 +2775,7 @@ export interface ServerCertificateConfiguration {
      *                <p>You can't use certificates issued by Private Certificate Authority.</p>
      *             </li>
      *          </ul>
-     *          <p>For more information about configuring certificates for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Using SSL/TLS certificates with certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
+     *          <p>For more information about configuring certificates for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Using SSL/TLS certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
      *          <p>For information about working with certificates in ACM, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html">Importing certificates</a> in the <i>Certificate Manager User Guide</i>.</p>
      * @public
      */
@@ -2820,6 +3126,70 @@ export interface DeleteFirewallPolicyResponse {
      */
     FirewallPolicyResponse: FirewallPolicyResponse | undefined;
 }
+/**
+ * @public
+ */
+export interface DeleteNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to delete.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The ID of the transit gateway attachment that was deleted.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment deletion process.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
 /**
  * @public
  */
@@ -3022,6 +3392,11 @@ export interface DescribeFirewallMetadataResponse {
      * @public
      */
     SupportedAvailabilityZones?: Record<string, AvailabilityZoneMetadata> | undefined;
+    /**
+     * <p>The unique identifier of the transit gateway attachment associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId?: string | undefined;
 }
 /**
  * @public
@@ -3098,14 +3473,12 @@ export interface DescribeFlowOperationRequest {
  */
 export interface FlowFilter {
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     SourceAddress?: Address | undefined;
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     DestinationAddress?: Address | undefined;
@@ -3532,7 +3905,7 @@ export interface DescribeRuleGroupMetadataResponse {
      */
     StatefulRuleOptions?: StatefulRuleOptions | undefined;
     /**
-     * <p>The last time that the rule group was changed.</p>
+     * <p>A timestamp indicating when the rule group was last modified.</p>
      * @public
      */
     LastModifiedTime?: Date | undefined;
@@ -3605,6 +3978,62 @@ export interface DescribeVpcEndpointAssociationResponse {
      */
     VpcEndpointAssociationStatus?: VpcEndpointAssociationStatus | undefined;
 }
+/**
+ * @public
+ */
+export interface DisassociateAvailabilityZonesRequest {
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>Required. The Availability Zones to remove from the firewall's configuration.</p>
+     * @public
+     */
+    AvailabilityZoneMappings: AvailabilityZoneMapping[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DisassociateAvailabilityZonesResponse {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The remaining Availability Zones where the firewall has endpoints after the disassociation.</p>
+     * @public
+     */
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
 /**
  * @public
  */
@@ -3678,6 +4107,11 @@ export interface FirewallMetadata {
      * @public
      */
     FirewallArn?: string | undefined;
+    /**
+     * <p>The unique identifier of the transit gateway attachment associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId?: string | undefined;
 }
 /**
  * <p>High-level information about a firewall policy, returned by operations like create and
@@ -3704,14 +4138,12 @@ export interface FirewallPolicyMetadata {
  */
 export interface Flow {
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     SourceAddress?: Address | undefined;
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     DestinationAddress?: Address | undefined;
@@ -4473,6 +4905,70 @@ export interface PutResourcePolicyRequest {
  */
 export interface PutResourcePolicyResponse {
 }
+/**
+ * @public
+ */
+export interface RejectNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to reject. This ID is returned in the response when creating a transit gateway-attached firewall.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ */
+export interface RejectNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The unique identifier of the transit gateway attachment that was rejected.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment. Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     *          <p>For information about troubleshooting endpoint failures, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
 /**
  * @public
  */
@@ -4667,14 +5163,29 @@ export interface UntagResourceRequest {
 export interface UntagResourceResponse {
 }
 /**
+ * <p>Unable to change the resource because your account doesn't own it. </p>
  * @public
  */
-export interface UpdateFirewallAnalysisSettingsRequest {
+export declare class ResourceOwnerCheckException extends __BaseException {
+    readonly name: "ResourceOwnerCheckException";
+    readonly $fault: "client";
+    Message?: string | undefined;
     /**
-     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ResourceOwnerCheckException, __BaseException>);
+}
+/**
+ * @public
+ */
+export interface UpdateAvailabilityZoneChangeProtectionRequest {
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
      * @public
      */
-    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    UpdateToken?: string | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) of the firewall.</p>
      *          <p>You must specify the ARN or the name, and you can specify both. </p>
@@ -4687,6 +5198,18 @@ export interface UpdateFirewallAnalysisSettingsRequest {
      * @public
      */
     FirewallName?: string | undefined;
+    /**
+     * <p>A setting indicating whether the firewall is protected against changes to the subnet associations.
+     *          Use this setting to protect against
+     *          accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to <code>TRUE</code>.</p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection: boolean | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateAvailabilityZoneChangeProtectionResponse {
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -4694,11 +5217,28 @@ export interface UpdateFirewallAnalysisSettingsRequest {
      * @public
      */
     UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>A setting indicating whether the firewall is protected against changes to the subnet associations.
+     *          Use this setting to protect against
+     *          accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to <code>TRUE</code>.</p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * @public
  */
-export interface UpdateFirewallAnalysisSettingsResponse {
+export interface UpdateFirewallAnalysisSettingsRequest {
     /**
      * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
      * @public
@@ -4725,17 +5265,33 @@ export interface UpdateFirewallAnalysisSettingsResponse {
     UpdateToken?: string | undefined;
 }
 /**
- * <p>Unable to change the resource because your account doesn't own it. </p>
  * @public
  */
-export declare class ResourceOwnerCheckException extends __BaseException {
-    readonly name: "ResourceOwnerCheckException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface UpdateFirewallAnalysisSettingsResponse {
     /**
-     * @internal
+     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ResourceOwnerCheckException, __BaseException>);
+    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public