@aws-sdk/client-network-firewall 3.828.0 → 3.831.0

package/dist-types/models/models_0.d.ts

@@ -1,5 +1,153 @@
 import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client";
 import { NetworkFirewallServiceException as __BaseException } from "./NetworkFirewallServiceException";
+/**
+ * @public
+ */
+export interface AcceptNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to accept. This ID is returned in the response when creating a transit gateway-attached firewall.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const TransitGatewayAttachmentStatus: {
+    readonly CREATING: "CREATING";
+    readonly DELETED: "DELETED";
+    readonly DELETING: "DELETING";
+    readonly ERROR: "ERROR";
+    readonly FAILED: "FAILED";
+    readonly PENDING_ACCEPTANCE: "PENDING_ACCEPTANCE";
+    readonly READY: "READY";
+    readonly REJECTED: "REJECTED";
+    readonly REJECTING: "REJECTING";
+};
+/**
+ * @public
+ */
+export type TransitGatewayAttachmentStatus = (typeof TransitGatewayAttachmentStatus)[keyof typeof TransitGatewayAttachmentStatus];
+/**
+ * @public
+ */
+export interface AcceptNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The unique identifier of the transit gateway attachment that was accepted.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment. Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
+/**
+ * <p>Your request is valid, but Network Firewall couldn't perform the operation because of a
+ *          system problem. Retry your request. </p>
+ * @public
+ */
+export declare class InternalServerError extends __BaseException {
+    readonly name: "InternalServerError";
+    readonly $fault: "server";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<InternalServerError, __BaseException>);
+}
+/**
+ * <p>The operation failed because of a problem with your request. Examples include: </p>
+ *          <ul>
+ *             <li>
+ *                <p>You specified an unsupported parameter name or value.</p>
+ *             </li>
+ *             <li>
+ *                <p>You tried to update a property with a value that isn't among the available
+ *                types.</p>
+ *             </li>
+ *             <li>
+ *                <p>Your request references an ARN that is malformed, or corresponds to a resource
+ *                that isn't valid in the context of the request.</p>
+ *             </li>
+ *          </ul>
+ * @public
+ */
+export declare class InvalidRequestException extends __BaseException {
+    readonly name: "InvalidRequestException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<InvalidRequestException, __BaseException>);
+}
+/**
+ * <p>Unable to locate a resource using the parameters that you provided.</p>
+ * @public
+ */
+export declare class ResourceNotFoundException extends __BaseException {
+    readonly name: "ResourceNotFoundException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>);
+}
+/**
+ * <p>Unable to process the request due to throttling limitations.</p>
+ * @public
+ */
+export declare class ThrottlingException extends __BaseException {
+    readonly name: "ThrottlingException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ThrottlingException, __BaseException>);
+}
 /**
  * <p>The value to use in an Amazon CloudWatch custom metric dimension. This is used in the
  *             <code>PublishMetrics</code>
@@ -47,8 +195,7 @@ export interface ActionDefinition {
     PublishMetricAction?: PublishMetricAction | undefined;
 }
 /**
- * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
- *          source and destination specifications.</p>
+ * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
  * @public
  */
 export interface Address {
@@ -234,9 +381,21 @@ export interface AnalysisResult {
     AnalysisDetail?: string | undefined;
 }
 /**
+ * <p>Defines the mapping between an Availability Zone and a firewall endpoint for a transit gateway-attached firewall. Each mapping represents where the firewall can process traffic. You use these mappings when calling <a>CreateFirewall</a>, <a>AssociateAvailabilityZones</a>, and <a>DisassociateAvailabilityZones</a>.</p>
+ *          <p>To retrieve the current Availability Zone mappings for a firewall, use <a>DescribeFirewall</a>.</p>
  * @public
  */
-export interface AssociateFirewallPolicyRequest {
+export interface AvailabilityZoneMapping {
+    /**
+     * <p>The ID of the Availability Zone where the firewall endpoint is located. For example, <code>us-east-2a</code>. The Availability Zone must be in the same Region as the transit gateway.</p>
+     * @public
+     */
+    AvailabilityZone: string | undefined;
+}
+/**
+ * @public
+ */
+export interface AssociateAvailabilityZonesRequest {
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -257,15 +416,15 @@ export interface AssociateFirewallPolicyRequest {
      */
     FirewallName?: string | undefined;
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * <p>Required. The Availability Zones where you want to create firewall endpoints. You must specify at least one Availability Zone.</p>
      * @public
      */
-    FirewallPolicyArn: string | undefined;
+    AvailabilityZoneMappings: AvailabilityZoneMapping[] | undefined;
 }
 /**
  * @public
  */
-export interface AssociateFirewallPolicyResponse {
+export interface AssociateAvailabilityZonesResponse {
     /**
      * <p>The Amazon Resource Name (ARN) of the firewall.</p>
      * @public
@@ -277,10 +436,10 @@ export interface AssociateFirewallPolicyResponse {
      */
     FirewallName?: string | undefined;
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * <p>The Availability Zones where Network Firewall created firewall endpoints. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>
      * @public
      */
-    FirewallPolicyArn?: string | undefined;
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -290,18 +449,18 @@ export interface AssociateFirewallPolicyResponse {
     UpdateToken?: string | undefined;
 }
 /**
- * <p>Your request is valid, but Network Firewall couldn't perform the operation because of a
- *          system problem. Retry your request. </p>
+ * <p>Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your
+ *          request later. </p>
  * @public
  */
-export declare class InternalServerError extends __BaseException {
-    readonly name: "InternalServerError";
+export declare class InsufficientCapacityException extends __BaseException {
+    readonly name: "InsufficientCapacityException";
     readonly $fault: "server";
     Message?: string | undefined;
     /**
      * @internal
      */
-    constructor(opts: __ExceptionOptionType<InternalServerError, __BaseException>);
+    constructor(opts: __ExceptionOptionType<InsufficientCapacityException, __BaseException>);
 }
 /**
  * <p>The operation failed because it's not valid. For example, you might have tried to delete
@@ -317,32 +476,6 @@ export declare class InvalidOperationException extends __BaseException {
      */
     constructor(opts: __ExceptionOptionType<InvalidOperationException, __BaseException>);
 }
-/**
- * <p>The operation failed because of a problem with your request. Examples include: </p>
- *          <ul>
- *             <li>
- *                <p>You specified an unsupported parameter name or value.</p>
- *             </li>
- *             <li>
- *                <p>You tried to update a property with a value that isn't among the available
- *                types.</p>
- *             </li>
- *             <li>
- *                <p>Your request references an ARN that is malformed, or corresponds to a resource
- *                that isn't valid in the context of the request.</p>
- *             </li>
- *          </ul>
- * @public
- */
-export declare class InvalidRequestException extends __BaseException {
-    readonly name: "InvalidRequestException";
-    readonly $fault: "client";
-    Message?: string | undefined;
-    /**
-     * @internal
-     */
-    constructor(opts: __ExceptionOptionType<InvalidRequestException, __BaseException>);
-}
 /**
  * <p>The token you provided is stale or isn't valid for the operation. </p>
  * @public
@@ -357,30 +490,60 @@ export declare class InvalidTokenException extends __BaseException {
     constructor(opts: __ExceptionOptionType<InvalidTokenException, __BaseException>);
 }
 /**
- * <p>Unable to locate a resource using the parameters that you provided.</p>
  * @public
  */
-export declare class ResourceNotFoundException extends __BaseException {
-    readonly name: "ResourceNotFoundException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface AssociateFirewallPolicyRequest {
     /**
-     * @internal
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>);
+    UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * @public
+     */
+    FirewallPolicyArn: string | undefined;
 }
 /**
- * <p>Unable to process the request due to throttling limitations.</p>
  * @public
  */
-export declare class ThrottlingException extends __BaseException {
-    readonly name: "ThrottlingException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface AssociateFirewallPolicyResponse {
     /**
-     * @internal
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ThrottlingException, __BaseException>);
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall policy.</p>
+     * @public
+     */
+    FirewallPolicyArn?: string | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public
@@ -470,20 +633,6 @@ export interface AssociateSubnetsResponse {
      */
     UpdateToken?: string | undefined;
 }
-/**
- * <p>Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your
- *          request later. </p>
- * @public
- */
-export declare class InsufficientCapacityException extends __BaseException {
-    readonly name: "InsufficientCapacityException";
-    readonly $fault: "server";
-    Message?: string | undefined;
-    /**
-     * @internal
-     */
-    constructor(opts: __ExceptionOptionType<InsufficientCapacityException, __BaseException>);
-}
 /**
  * @public
  * @enum
@@ -535,7 +684,9 @@ export interface Attachment {
      */
     Status?: AttachmentStatus | undefined;
     /**
-     * <p>If Network Firewall fails to create or delete the firewall endpoint in the subnet, it populates this with the reason for the error or failure and how to resolve it. A <code>FAILED</code> status indicates a non-recoverable state, and a <code>ERROR</code> status indicates an issue that you can fix. Depending on the error, it can take as many as 15 minutes to populate this field. For more information about the causes for failiure or errors and solutions available for this field, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * <p>If Network Firewall fails to create or delete the firewall endpoint in the subnet, it populates this with the reason for the error or failure and how to resolve it.
+     *          A <code>FAILED</code> status indicates a non-recoverable state, and a <code>ERROR</code> status indicates an issue that you can fix.
+     *          Depending on the error, it can take as many as 15 minutes to populate this field. For more information about the causes for failiure or errors and solutions available for this field, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
      * @public
      */
     StatusMessage?: string | undefined;
@@ -830,6 +981,28 @@ export interface CreateFirewallRequest {
      * @public
      */
     EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    /**
+     * <p>Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through Resource Access Manager.</p>
+     *          <important>
+     *             <p>After creating the firewall, you cannot change the transit gateway association. To use a different transit gateway, you must create a new firewall.</p>
+     *          </important>
+     *          <p>For information about creating firewalls, see <a>CreateFirewall</a>. For specific guidance about transit gateway-attached firewalls, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tgw-firewall-considerations.html">Considerations for transit gateway-attached firewalls</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    TransitGatewayId?: string | undefined;
+    /**
+     * <p>Required. The Availability Zones where you want to create firewall endpoints for a transit gateway-attached firewall. You must specify at least one Availability Zone. Consider enabling the firewall in every Availability Zone where you have workloads to maintain Availability Zone independence.</p>
+     *          <p>You can modify Availability Zones later using <a>AssociateAvailabilityZones</a> or <a>DisassociateAvailabilityZones</a>, but this may briefly disrupt traffic. The <code>AvailabilityZoneChangeProtection</code> setting controls whether you can make these modifications.</p>
+     * @public
+     */
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
+    /**
+     * <p>Optional. A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to <code>TRUE</code>, you cannot add or remove Availability Zones without first disabling this protection using <a>UpdateAvailabilityZoneChangeProtection</a>.</p>
+     *          <p>Default value: <code>FALSE</code>
+     *          </p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * <p>A firewall defines the behavior of a firewall, the main VPC where the firewall is used, the Availability Zones where the firewall can be used, and one subnet to use for a firewall endpoint within each of the Availability Zones. The Availability Zones are defined implicitly in the subnet specifications.</p>
@@ -900,27 +1073,47 @@ export interface Firewall {
      * <p>The unique identifier for the firewall. </p>
      * @public
      */
-    FirewallId: string | undefined;
+    FirewallId: string | undefined;
+    /**
+     * <p></p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+    /**
+     * <p>A complex type that contains the Amazon Web Services KMS encryption configuration settings for your firewall.</p>
+     * @public
+     */
+    EncryptionConfiguration?: EncryptionConfiguration | undefined;
+    /**
+     * <p>The number of <code>VpcEndpointAssociation</code> resources that use this firewall. </p>
+     * @public
+     */
+    NumberOfAssociations?: number | undefined;
+    /**
+     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * @public
+     */
+    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
     /**
-     * <p></p>
+     * <p>The unique identifier of the transit gateway associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
      * @public
      */
-    Tags?: Tag[] | undefined;
+    TransitGatewayId?: string | undefined;
     /**
-     * <p>A complex type that contains the Amazon Web Services KMS encryption configuration settings for your firewall.</p>
+     * <p>The Amazon Web Services account ID that owns the transit gateway. This may be different from the firewall owner's account ID when using a shared transit gateway.</p>
      * @public
      */
-    EncryptionConfiguration?: EncryptionConfiguration | undefined;
+    TransitGatewayOwnerAccountId?: string | undefined;
     /**
-     * <p>The number of <code>VpcEndpointAssociation</code> resources that use this firewall. </p>
+     * <p>The Availability Zones where the firewall endpoints are created for a transit gateway-attached firewall. Each mapping specifies an Availability Zone where the firewall processes traffic.</p>
      * @public
      */
-    NumberOfAssociations?: number | undefined;
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
     /**
-     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * <p>A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to <code>TRUE</code>, you must first disable this protection before adding or removing Availability Zones.</p>
      * @public
      */
-    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * @public
@@ -1003,6 +1196,106 @@ export interface SyncState {
      */
     Config?: Record<string, PerObjectStatus> | undefined;
 }
+/**
+ * <p>Contains information about the synchronization state of a transit gateway attachment, including its current status and any error messages. Network Firewall uses this to track the state of your transit gateway configuration changes.</p>
+ * @public
+ */
+export interface TransitGatewayAttachmentSyncState {
+    /**
+     * <p>The unique identifier of the transit gateway attachment.</p>
+     * @public
+     */
+    AttachmentId?: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus?: TransitGatewayAttachmentStatus | undefined;
+    /**
+     * <p>A message providing additional information about the current status, particularly useful when the transit gateway attachment is in a non-<code>READY</code> state.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     *          <p>For information about troubleshooting endpoint failures, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    StatusMessage?: string | undefined;
+}
 /**
  * <p>Detailed information about the current status of a <a>Firewall</a>. You can retrieve this for a firewall by calling <a>DescribeFirewall</a> and providing the firewall name and ARN.</p>
  *          <p>The firewall status indicates a combined status. It indicates whether all subnets are up-to-date with the latest firewall configurations, which is based on the sync states config values, and also whether all subnets have their endpoints fully enabled, based on their sync states attachment values. </p>
@@ -1045,6 +1338,11 @@ export interface FirewallStatus {
      * @public
      */
     CapacityUsageSummary?: CapacityUsageSummary | undefined;
+    /**
+     * <p>The synchronization state of the transit gateway attachment. This indicates whether the firewall's transit gateway configuration is properly synchronized and operational. Use this to verify that your transit gateway configuration changes have been applied.</p>
+     * @public
+     */
+    TransitGatewayAttachmentSyncState?: TransitGatewayAttachmentSyncState | undefined;
 }
 /**
  * @public
@@ -1148,9 +1446,15 @@ export type StreamExceptionPolicy = (typeof StreamExceptionPolicy)[keyof typeof
  */
 export interface StatefulEngineOptions {
     /**
-     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>STRICT_ORDER</code> is
-     *          the default and recommended option. With <code>STRICT_ORDER</code>, provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose <code>STRICT_ORDER</code> to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is <code>PASS</code>, followed by <code>DROP</code>, <code>REJECT</code>, and <code>ALERT</code> actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them
-     *          based on your settings. For more information, see
+     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>STRICT_ORDER</code> is the
+     *          recommended option, but <code>DEFAULT_ACTION_ORDER</code> is the default option.
+     *          With <code>STRICT_ORDER</code>, provide your rules in the order that you want them to be evaluated.
+     *          You can then choose one or more default actions for packets that don't match any rules.
+     *          Choose <code>STRICT_ORDER</code> to have the stateful rules engine determine the evaluation order of your rules.
+     *          The default action for this rule order is
+     *          <code>PASS</code>, followed by <code>DROP</code>, <code>REJECT</code>, and <code>ALERT</code> actions.
+     *          Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on your settings.
+     *          For more information, see
      *          <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html">Evaluation order for stateful rules</a> in the <i>Network Firewall Developer Guide</i>.
      *       </p>
      * @public
@@ -1234,6 +1538,15 @@ export interface StatefulRuleGroupReference {
      * @public
      */
     Override?: StatefulRuleGroupOverride | undefined;
+    /**
+     * <p>Network Firewall plans to augment the active threat defense managed rule group with an additional deep threat inspection capability. When this capability is released, Amazon Web Services will analyze service logs of network traffic processed by these rule groups to identify threat indicators across customers.
+     *          Amazon Web Services will use these threat indicators to improve the active threat defense managed rule groups and protect the security of Amazon Web Services customers and services.</p>
+     *          <note>
+     *             <p>Customers can opt-out of deep threat inspection at any time through the Network Firewall console or API. When customers opt out, Network Firewall  will not use the network traffic processed by those customers' active threat defense rule groups for rule group improvement.</p>
+     *          </note>
+     * @public
+     */
+    DeepThreatInspection?: boolean | undefined;
 }
 /**
  * <p>An optional, non-standard action to use for stateless packet handling. You can define
@@ -1642,12 +1955,14 @@ export declare const StatefulRuleProtocol: {
     readonly DNS: "DNS";
     readonly FTP: "FTP";
     readonly HTTP: "HTTP";
+    readonly HTTP2: "HTTP2";
     readonly ICMP: "ICMP";
     readonly IKEV2: "IKEV2";
     readonly IMAP: "IMAP";
     readonly KRB5: "KRB5";
     readonly MSN: "MSN";
     readonly NTP: "NTP";
+    readonly QUIC: "QUIC";
     readonly SMB: "SMB";
     readonly SMTP: "SMTP";
     readonly SSH: "SSH";
@@ -2077,7 +2392,7 @@ export interface PortSet {
 }
 /**
  * <p>Settings that are available for use in the rules in the <a>RuleGroup</a>
- *          where this is defined. </p>
+ *          where this is defined. See <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a> for usage.</p>
  * @public
  */
 export interface RuleVariables {
@@ -2156,6 +2471,37 @@ export interface SourceMetadata {
      */
     SourceUpdateToken?: string | undefined;
 }
+/**
+ * @public
+ * @enum
+ */
+export declare const SummaryRuleOption: {
+    readonly METADATA: "METADATA";
+    readonly MSG: "MSG";
+    readonly SID: "SID";
+};
+/**
+ * @public
+ */
+export type SummaryRuleOption = (typeof SummaryRuleOption)[keyof typeof SummaryRuleOption];
+/**
+ * <p>A complex type that specifies which Suricata rule metadata fields to use when displaying threat information. Contains:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <code>RuleOptions</code> - The Suricata rule options fields to extract and display</p>
+ *             </li>
+ *          </ul>
+ *          <p>These settings affect how threat information appears in both the console and API responses. Summaries are available for rule groups you manage and for active threat defense Amazon Web Services managed rule groups.</p>
+ * @public
+ */
+export interface SummaryConfiguration {
+    /**
+     * <p>Specifies the selected rule options returned by <a>DescribeRuleGroupSummary</a>.</p>
+     * @public
+     */
+    RuleOptions?: SummaryRuleOption[] | undefined;
+}
 /**
  * @public
  * @enum
@@ -2281,6 +2627,28 @@ export interface CreateRuleGroupRequest {
      * @public
      */
     AnalyzeRuleGroup?: boolean | undefined;
+    /**
+     * <p>An object that contains a <code>RuleOptions</code> array of strings.
+     *          You use <code>RuleOptions</code> to determine which of the following <a>RuleSummary</a> values are returned in response to <code>DescribeRuleGroupSummary</code>.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>Metadata</code> - returns</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>Msg</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>SID</code>
+     *                </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    SummaryConfiguration?: SummaryConfiguration | undefined;
 }
 /**
  * <p>The high-level properties of a rule group. This, along with the <a>RuleGroup</a>, define the rule group. You can retrieve all objects for a rule group by calling <a>DescribeRuleGroup</a>. </p>
@@ -2358,7 +2726,7 @@ export interface RuleGroupResponse {
      */
     SourceMetadata?: SourceMetadata | undefined;
     /**
-     * <p>The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that's
+     * <p>The Amazon Resource Name (ARN) of the Amazon Simple Notification Service SNS topic that's
      * used to record changes to the managed rule group. You can subscribe to the SNS topic to receive
      * notifications when the managed rule group is modified, such as for new versions and for version
      * expiration. For more information, see the <a href="https://docs.aws.amazon.com/sns/latest/dg/welcome.html">Amazon Simple Notification Service Developer Guide.</a>.</p>
@@ -2375,6 +2743,20 @@ export interface RuleGroupResponse {
      * @public
      */
     AnalysisResults?: AnalysisResult[] | undefined;
+    /**
+     * <p>A complex type containing the currently selected rule option fields that will be displayed for rule summarization returned by <a>DescribeRuleGroupSummary</a>.</p>
+     *          <ul>
+     *             <li>
+     *                <p>The <code>RuleOptions</code> specified in <a>SummaryConfiguration</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>Rule metadata organization preferences</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    SummaryConfiguration?: SummaryConfiguration | undefined;
 }
 /**
  * @public
@@ -2469,7 +2851,7 @@ export interface ServerCertificateConfiguration {
      *                <p>You can't use certificates issued by Private Certificate Authority.</p>
      *             </li>
      *          </ul>
-     *          <p>For more information about configuring certificates for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Using SSL/TLS certificates with certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
+     *          <p>For more information about configuring certificates for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Using SSL/TLS certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
      *          <p>For information about working with certificates in ACM, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html">Importing certificates</a> in the <i>Certificate Manager User Guide</i>.</p>
      * @public
      */
@@ -2820,6 +3202,70 @@ export interface DeleteFirewallPolicyResponse {
      */
     FirewallPolicyResponse: FirewallPolicyResponse | undefined;
 }
+/**
+ * @public
+ */
+export interface DeleteNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to delete.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The ID of the transit gateway attachment that was deleted.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment deletion process.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
 /**
  * @public
  */
@@ -3022,6 +3468,11 @@ export interface DescribeFirewallMetadataResponse {
      * @public
      */
     SupportedAvailabilityZones?: Record<string, AvailabilityZoneMetadata> | undefined;
+    /**
+     * <p>The unique identifier of the transit gateway attachment associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId?: string | undefined;
 }
 /**
  * @public
@@ -3098,14 +3549,12 @@ export interface DescribeFlowOperationRequest {
  */
 export interface FlowFilter {
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     SourceAddress?: Address | undefined;
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     DestinationAddress?: Address | undefined;
@@ -3453,17 +3902,94 @@ export interface DescribeRuleGroupResponse {
      *     more than one firewall policy, and you can use a firewall policy in more than one firewall. </p>
      * @public
      */
-    RuleGroup?: RuleGroup | undefined;
+    RuleGroup?: RuleGroup | undefined;
+    /**
+     * <p>The high-level properties of a rule group. This, along with the <a>RuleGroup</a>, define the rule group. You can retrieve all objects for a rule group by calling <a>DescribeRuleGroup</a>. </p>
+     * @public
+     */
+    RuleGroupResponse: RuleGroupResponse | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeRuleGroupMetadataRequest {
+    /**
+     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupName?: string | undefined;
+    /**
+     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupArn?: string | undefined;
+    /**
+     * <p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains
+     * stateless rules. If it is stateful, it contains stateful rules. </p>
+     *          <note>
+     *             <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p>
+     *          </note>
+     * @public
+     */
+    Type?: RuleGroupType | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeRuleGroupMetadataResponse {
+    /**
+     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupArn: string | undefined;
+    /**
+     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupName: string | undefined;
+    /**
+     * <p>Returns the metadata objects for the specified rule group.
+     *       </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains
+     * stateless rules. If it is stateful, it contains stateful rules. </p>
+     *          <note>
+     *             <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p>
+     *          </note>
+     * @public
+     */
+    Type?: RuleGroupType | undefined;
+    /**
+     * <p>The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation.
+     *       When you update a rule group, you are limited to this capacity. When you reference a rule group
+     *       from a firewall policy, Network Firewall reserves this capacity for the rule group. </p>
+     *          <p>You can retrieve the capacity that would be required for a rule group before you create the rule group by calling
+     *       <a>CreateRuleGroup</a> with <code>DryRun</code> set to <code>TRUE</code>. </p>
+     * @public
+     */
+    Capacity?: number | undefined;
     /**
-     * <p>The high-level properties of a rule group. This, along with the <a>RuleGroup</a>, define the rule group. You can retrieve all objects for a rule group by calling <a>DescribeRuleGroup</a>. </p>
+     * <p>Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.</p>
      * @public
      */
-    RuleGroupResponse: RuleGroupResponse | undefined;
+    StatefulRuleOptions?: StatefulRuleOptions | undefined;
+    /**
+     * <p>A timestamp indicating when the rule group was last modified.</p>
+     * @public
+     */
+    LastModifiedTime?: Date | undefined;
 }
 /**
  * @public
  */
-export interface DescribeRuleGroupMetadataRequest {
+export interface DescribeRuleGroupSummaryRequest {
     /**
      * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
      *          <p>You must specify the ARN or the name, and you can specify both. </p>
@@ -3471,71 +3997,101 @@ export interface DescribeRuleGroupMetadataRequest {
      */
     RuleGroupName?: string | undefined;
     /**
-     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
+     * <p>Required. The Amazon Resource Name (ARN) of the rule group.</p>
      *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
     RuleGroupArn?: string | undefined;
     /**
-     * <p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains
-     * stateless rules. If it is stateful, it contains stateful rules. </p>
-     *          <note>
-     *             <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p>
-     *          </note>
+     * <p>The type of rule group you want a summary for. This is a required field.</p>
+     *          <p>Valid value: <code>STATEFUL</code>
+     *          </p>
+     *          <p>Note that <code>STATELESS</code> exists but is not currently supported. If you provide <code>STATELESS</code>, an exception is returned.</p>
      * @public
      */
     Type?: RuleGroupType | undefined;
 }
 /**
+ * <p>A complex type containing details about a Suricata rule. Contains:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <code>SID</code>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <code>Msg</code>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <code>Metadata</code>
+ *                </p>
+ *             </li>
+ *          </ul>
+ *          <p>Summaries are available for rule groups you manage and for active threat defense Amazon Web Services managed rule groups.</p>
  * @public
  */
-export interface DescribeRuleGroupMetadataResponse {
+export interface RuleSummary {
     /**
-     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
-     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * <p>The unique identifier (Signature ID) of the Suricata rule.</p>
      * @public
      */
-    RuleGroupArn: string | undefined;
+    SID?: string | undefined;
     /**
-     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
-     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * <p>The contents taken from the rule's msg field.</p>
      * @public
      */
-    RuleGroupName: string | undefined;
+    Msg?: string | undefined;
     /**
-     * <p>Returns the metadata objects for the specified rule group.
-     *       </p>
+     * <p>The contents of the rule's metadata.</p>
      * @public
      */
-    Description?: string | undefined;
+    Metadata?: string | undefined;
+}
+/**
+ * <p>A complex type containing summaries of security protections provided by a rule group.</p>
+ *          <p>Network Firewall extracts this information from selected fields in the rule group's Suricata rules, based on your <a>SummaryConfiguration</a> settings.</p>
+ * @public
+ */
+export interface Summary {
     /**
-     * <p>Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains
-     * stateless rules. If it is stateful, it contains stateful rules. </p>
-     *          <note>
-     *             <p>This setting is required for requests that do not include the <code>RuleGroupARN</code>.</p>
-     *          </note>
+     * <p>An array of <a>RuleSummary</a> objects containing individual rule details that had been configured by the rulegroup's SummaryConfiguration.</p>
      * @public
      */
-    Type?: RuleGroupType | undefined;
+    RuleSummaries?: RuleSummary[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeRuleGroupSummaryResponse {
     /**
-     * <p>The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation.
-     *       When you update a rule group, you are limited to this capacity. When you reference a rule group
-     *       from a firewall policy, Network Firewall reserves this capacity for the rule group. </p>
-     *          <p>You can retrieve the capacity that would be required for a rule group before you create the rule group by calling
-     *       <a>CreateRuleGroup</a> with <code>DryRun</code> set to <code>TRUE</code>. </p>
+     * <p>The descriptive name of the rule group. You can't change the name of a rule group after you create it.</p>
      * @public
      */
-    Capacity?: number | undefined;
+    RuleGroupName: string | undefined;
     /**
-     * <p>Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.</p>
+     * <p>A description of the rule group. </p>
      * @public
      */
-    StatefulRuleOptions?: StatefulRuleOptions | undefined;
+    Description?: string | undefined;
     /**
-     * <p>The last time that the rule group was changed.</p>
+     * <p>A complex type that contains rule information based on the rule group's configured summary settings. The content varies depending on the fields that you specified to extract in your SummaryConfiguration. When you haven't configured any summary settings, this returns an empty array. The response might include:</p>
+     *          <ul>
+     *             <li>
+     *                <p>Rule identifiers</p>
+     *             </li>
+     *             <li>
+     *                <p>Rule descriptions</p>
+     *             </li>
+     *             <li>
+     *                <p>Any metadata fields that you specified in your SummaryConfiguration</p>
+     *             </li>
+     *          </ul>
      * @public
      */
-    LastModifiedTime?: Date | undefined;
+    Summary?: Summary | undefined;
 }
 /**
  * @public
@@ -3605,6 +4161,62 @@ export interface DescribeVpcEndpointAssociationResponse {
      */
     VpcEndpointAssociationStatus?: VpcEndpointAssociationStatus | undefined;
 }
+/**
+ * @public
+ */
+export interface DisassociateAvailabilityZonesRequest {
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>Required. The Availability Zones to remove from the firewall's configuration.</p>
+     * @public
+     */
+    AvailabilityZoneMappings: AvailabilityZoneMapping[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DisassociateAvailabilityZonesResponse {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>The remaining Availability Zones where the firewall has endpoints after the disassociation.</p>
+     * @public
+     */
+    AvailabilityZoneMappings?: AvailabilityZoneMapping[] | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
 /**
  * @public
  */
@@ -3678,6 +4290,11 @@ export interface FirewallMetadata {
      * @public
      */
     FirewallArn?: string | undefined;
+    /**
+     * <p>The unique identifier of the transit gateway attachment associated with this firewall. This field is only present for transit gateway-attached firewalls.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId?: string | undefined;
 }
 /**
  * <p>High-level information about a firewall policy, returned by operations like create and
@@ -3704,14 +4321,12 @@ export interface FirewallPolicyMetadata {
  */
 export interface Flow {
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     SourceAddress?: Address | undefined;
     /**
-     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a>
-     *          source and destination specifications.</p>
+     * <p>A single IP address specification. This is used in the <a>MatchAttributes</a> source and destination specifications.</p>
      * @public
      */
     DestinationAddress?: Address | undefined;
@@ -4164,6 +4779,7 @@ export interface ListFlowOperationsResponse {
  * @enum
  */
 export declare const ResourceManagedType: {
+    readonly ACTIVE_THREAT_DEFENSE: "ACTIVE_THREAT_DEFENSE";
     readonly AWS_MANAGED_DOMAIN_LISTS: "AWS_MANAGED_DOMAIN_LISTS";
     readonly AWS_MANAGED_THREAT_SIGNATURES: "AWS_MANAGED_THREAT_SIGNATURES";
 };
@@ -4473,6 +5089,70 @@ export interface PutResourcePolicyRequest {
  */
 export interface PutResourcePolicyResponse {
 }
+/**
+ * @public
+ */
+export interface RejectNetworkFirewallTransitGatewayAttachmentRequest {
+    /**
+     * <p>Required. The unique identifier of the transit gateway attachment to reject. This ID is returned in the response when creating a transit gateway-attached firewall.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+}
+/**
+ * @public
+ */
+export interface RejectNetworkFirewallTransitGatewayAttachmentResponse {
+    /**
+     * <p>The unique identifier of the transit gateway attachment that was rejected.</p>
+     * @public
+     */
+    TransitGatewayAttachmentId: string | undefined;
+    /**
+     * <p>The current status of the transit gateway attachment. Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     *          <p>For information about troubleshooting endpoint failures, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html">Troubleshooting firewall endpoint failures</a> in the <i>Network Firewall Developer Guide</i>.</p>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
 /**
  * @public
  */
@@ -4666,15 +5346,30 @@ export interface UntagResourceRequest {
  */
 export interface UntagResourceResponse {
 }
+/**
+ * <p>Unable to change the resource because your account doesn't own it. </p>
+ * @public
+ */
+export declare class ResourceOwnerCheckException extends __BaseException {
+    readonly name: "ResourceOwnerCheckException";
+    readonly $fault: "client";
+    Message?: string | undefined;
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<ResourceOwnerCheckException, __BaseException>);
+}
 /**
  * @public
  */
-export interface UpdateFirewallAnalysisSettingsRequest {
+export interface UpdateAvailabilityZoneChangeProtectionRequest {
     /**
-     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
      * @public
      */
-    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    UpdateToken?: string | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) of the firewall.</p>
      *          <p>You must specify the ARN or the name, and you can specify both. </p>
@@ -4687,6 +5382,18 @@ export interface UpdateFirewallAnalysisSettingsRequest {
      * @public
      */
     FirewallName?: string | undefined;
+    /**
+     * <p>A setting indicating whether the firewall is protected against changes to the subnet associations.
+     *          Use this setting to protect against
+     *          accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to <code>TRUE</code>.</p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection: boolean | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateAvailabilityZoneChangeProtectionResponse {
     /**
      * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
      *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
@@ -4694,11 +5401,28 @@ export interface UpdateFirewallAnalysisSettingsRequest {
      * @public
      */
     UpdateToken?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>A setting indicating whether the firewall is protected against changes to the subnet associations.
+     *          Use this setting to protect against
+     *          accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to <code>TRUE</code>.</p>
+     * @public
+     */
+    AvailabilityZoneChangeProtection?: boolean | undefined;
 }
 /**
  * @public
  */
-export interface UpdateFirewallAnalysisSettingsResponse {
+export interface UpdateFirewallAnalysisSettingsRequest {
     /**
      * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
      * @public
@@ -4725,17 +5449,33 @@ export interface UpdateFirewallAnalysisSettingsResponse {
     UpdateToken?: string | undefined;
 }
 /**
- * <p>Unable to change the resource because your account doesn't own it. </p>
  * @public
  */
-export declare class ResourceOwnerCheckException extends __BaseException {
-    readonly name: "ResourceOwnerCheckException";
-    readonly $fault: "client";
-    Message?: string | undefined;
+export interface UpdateFirewallAnalysisSettingsResponse {
     /**
-     * @internal
+     * <p>An optional setting indicating the specific traffic analysis types to enable on the firewall. </p>
+     * @public
      */
-    constructor(opts: __ExceptionOptionType<ResourceOwnerCheckException, __BaseException>);
+    EnabledAnalysisTypes?: EnabledAnalysisType[] | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+    /**
+     * <p>An optional token that you can use for optimistic locking. Network Firewall returns a token to your requests that access the firewall. The token marks the state of the firewall resource at the time of the request. </p>
+     *          <p>To make an unconditional change to the firewall, omit the token in your update request. Without the token, Network Firewall performs your updates regardless of whether the firewall has changed since you last retrieved it.</p>
+     *          <p>To make a conditional change to the firewall, provide the token in your update request. Network Firewall uses the token to ensure that the firewall hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the firewall again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public
@@ -5175,6 +5915,12 @@ export interface UpdateRuleGroupRequest {
      * @public
      */
     AnalyzeRuleGroup?: boolean | undefined;
+    /**
+     * <p>Updates the selected summary configuration for a rule group.</p>
+     *          <p>Changes affect subsequent responses from <a>DescribeRuleGroupSummary</a>.</p>
+     * @public
+     */
+    SummaryConfiguration?: SummaryConfiguration | undefined;
 }
 /**
  * @public