npm - @aws-sdk/client-network-firewall - Versions diffs - 3.936.0 → 3.940.0 - Mend

@aws-sdk/client-network-firewall 3.936.0 → 3.940.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AttachmentStatus, ConfigurationSyncState, EnabledAnalysisType, EncryptionType, FirewallStatusValue, FlowOperationStatus, FlowOperationType, GeneratedRulesType, IdentifiedType, IPAddressType, LogDestinationType, LogType, OverrideAction, PerObjectSyncStatus, ResourceManagedStatus, ResourceManagedType, ResourceStatus, RevocationCheckAction, RuleGroupType, RuleOrder, StatefulAction, StatefulRuleDirection, StatefulRuleProtocol, StreamExceptionPolicy, SubscriptionStatus, SummaryRuleOption, TargetType, TCPFlag, TransitGatewayAttachmentStatus } from "./enums";
+import { AttachmentStatus, ConfigurationSyncState, EnabledAnalysisType, EncryptionType, FirewallStatusValue, FlowOperationStatus, FlowOperationType, GeneratedRulesType, IdentifiedType, IPAddressType, ListenerPropertyType, LogDestinationType, LogType, OverrideAction, PerObjectSyncStatus, ProxyModifyState, ProxyRulePhaseAction, ProxyState, ResourceManagedStatus, ResourceManagedType, ResourceStatus, RevocationCheckAction, RuleGroupRequestPhase, RuleGroupType, RuleOrder, StatefulAction, StatefulRuleDirection, StatefulRuleProtocol, StreamExceptionPolicy, SubscriptionStatus, SummaryRuleOption, TargetType, TCPFlag, TlsInterceptMode, TransitGatewayAttachmentStatus } from "./enums";
 /**
  * @public
  */
@@ -532,6 +532,186 @@ export interface AZSyncState {
      */
     Attachment?: Attachment | undefined;
 }
+/**
+ * <p>The proxy rule group(s) to attach to the proxy configuration</p>
+ * @public
+ */
+export interface ProxyRuleGroupAttachment {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>Where to insert a proxy rule group in a proxy configuration. </p>
+     * @public
+     */
+    InsertPosition?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface AttachRuleGroupsToProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>The proxy rule group(s) to attach to the proxy configuration</p>
+     * @public
+     */
+    RuleGroups: ProxyRuleGroupAttachment[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+ *          <p>This data type is used specifically for the <a>CreateProxyConfiguration</a> and
+ *             <a>UpdateProxyConfiguration</a> APIs.</p>
+ * @public
+ */
+export interface ProxyConfigDefaultRulePhaseActionsRequest {
+    /**
+     * <p>Before domain resolution. </p>
+     * @public
+     */
+    PreDNS?: ProxyRulePhaseAction | undefined;
+    /**
+     * <p>After DNS, before request.</p>
+     * @public
+     */
+    PreREQUEST?: ProxyRulePhaseAction | undefined;
+    /**
+     * <p>After receiving response.</p>
+     * @public
+     */
+    PostRESPONSE?: ProxyRulePhaseAction | undefined;
+}
+/**
+ * <p>Proxy rule group contained within a proxy configuration. </p>
+ * @public
+ */
+export interface ProxyConfigRuleGroup {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>Proxy rule group type. </p>
+     * @public
+     */
+    Type?: string | undefined;
+    /**
+     * <p>Priority of the proxy rule group in the proxy configuration. </p>
+     * @public
+     */
+    Priority?: number | undefined;
+}
+/**
+ * <p>A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you
+ *          define. Typically, the tag key represents a category (such as "environment") and the tag
+ *          value represents a specific value within that category (such as "test," "development," or
+ *          "production"). You can add up to 50 tags to each Amazon Web Services resource. </p>
+ * @public
+ */
+export interface Tag {
+    /**
+     * <p>The part of the key:value pair that defines a tag. You can use a tag key to describe a
+     *          category of information, such as "customer." Tag keys are case-sensitive.</p>
+     * @public
+     */
+    Key: string | undefined;
+    /**
+     * <p>The part of the key:value pair that defines a tag. You can use a tag value to describe a
+     *          specific value within a category, such as "companyA" or "companyB." Tag values are
+     *          case-sensitive.</p>
+     * @public
+     */
+    Value: string | undefined;
+}
+/**
+ * <p>A Proxy Configuration defines the monitoring and protection behavior for a Proxy. The details of the behavior are defined in the rule groups that you add to your configuration. </p>
+ * @public
+ */
+export interface ProxyConfiguration {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>A description of the proxy configuration. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Time the Proxy Configuration was created. </p>
+     * @public
+     */
+    CreateTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy Configuration was deleted. </p>
+     * @public
+     */
+    DeleteTime?: Date | undefined;
+    /**
+     * <p>Proxy rule groups within the proxy configuration. </p>
+     * @public
+     */
+    RuleGroups?: ProxyConfigRuleGroup[] | undefined;
+    /**
+     * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+     *          <p>Pre-DNS - before domain resolution.</p>
+     *          <p>Pre-Request - after DNS, before request.</p>
+     *          <p>Post-Response - after receiving response.</p>
+     * @public
+     */
+    DefaultRulePhaseActions?: ProxyConfigDefaultRulePhaseActionsRequest | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * @public
+ */
+export interface AttachRuleGroupsToProxyConfigurationResponse {
+    /**
+     * <p>The updated proxy configuration resource that reflects the updates from the request.</p>
+     * @public
+     */
+    ProxyConfiguration?: ProxyConfiguration | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
 /**
  * <p>High-level information about an Availability Zone where the firewall has an endpoint defined. </p>
  * @public
@@ -672,28 +852,6 @@ export interface EncryptionConfiguration {
      */
     Type: EncryptionType | undefined;
 }
-/**
- * <p>A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you
- *          define. Typically, the tag key represents a category (such as "environment") and the tag
- *          value represents a specific value within that category (such as "test," "development," or
- *          "production"). You can add up to 50 tags to each Amazon Web Services resource. </p>
- * @public
- */
-export interface Tag {
-    /**
-     * <p>The part of the key:value pair that defines a tag. You can use a tag key to describe a
-     *          category of information, such as "customer." Tag keys are case-sensitive.</p>
-     * @public
-     */
-    Key: string | undefined;
-    /**
-     * <p>The part of the key:value pair that defines a tag. You can use a tag value to describe a
-     *          specific value within a category, such as "companyA" or "companyB." Tag values are
-     *          case-sensitive.</p>
-     * @public
-     */
-    Value: string | undefined;
-}
 /**
  * @public
  */
@@ -1536,154 +1694,658 @@ export interface CreateFirewallPolicyResponse {
     FirewallPolicyResponse: FirewallPolicyResponse | undefined;
 }
 /**
- * <p>Configures one or more IP set references for a Suricata-compatible rule group. This is used in <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a>. An IP set reference is a rule variable that references resources that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the resource you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references">Using IP set references</a> in the <i>Network Firewall Developer Guide</i>.</p>
- *          <p>
- *         Network Firewall currently supports <a href="https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html">Amazon VPC prefix lists</a> and <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references.html#rule-groups-referencing-resource-groups">resource groups</a> in IP set references.
- *       </p>
+ * <p>This data type is used specifically for the <a>CreateProxy</a> and
+ *             <a>UpdateProxy</a> APIs.</p>
+ *          <p>Open port for taking HTTP or HTTPS traffic.</p>
  * @public
  */
-export interface IPSetReference {
+export interface ListenerPropertyRequest {
     /**
-     * <p>The Amazon Resource Name (ARN) of the resource that you are referencing in your rule group.</p>
+     * <p>Port for processing traffic.</p>
      * @public
      */
-    ReferenceArn?: string | undefined;
-}
-/**
- * <p>Contains a set of IP set references.</p>
- * @public
- */
-export interface ReferenceSets {
+    Port: number | undefined;
     /**
-     * <p>The list of IP set references.</p>
+     * <p>Selection of HTTP or HTTPS traffic.</p>
      * @public
      */
-    IPSetReferences?: Record<string, IPSetReference> | undefined;
+    Type: ListenerPropertyType | undefined;
 }
 /**
- * <p>Stateful inspection criteria for a domain list rule group. </p>
- *          <p>For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.</p>
- *          <p>By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the <code>HOME_NET</code> rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see <a>RuleVariables</a> in this guide and
- *       <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html">Stateful domain list rule groups in Network Firewall</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ * <p>This data type is used specifically for the <a>CreateProxy</a> and
+ *             <a>UpdateProxy</a> APIs.</p>
+ *          <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
  * @public
  */
-export interface RulesSourceList {
-    /**
-     * <p>The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:</p>
-     *          <ul>
-     *             <li>
-     *                <p>Explicit names. For example, <code>abc.example.com</code> matches only the domain <code>abc.example.com</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>Names that use a domain wildcard, which you indicate with an initial '<code>.</code>'. For example,<code>.example.com</code> matches <code>example.com</code> and matches all subdomains of <code>example.com</code>, such as <code>abc.example.com</code> and <code>www.example.com</code>. </p>
-     *             </li>
-     *          </ul>
-     * @public
-     */
-    Targets: string[] | undefined;
+export interface TlsInterceptPropertiesRequest {
     /**
-     * <p>The protocols you want to inspect. Specify <code>TLS_SNI</code> for <code>HTTPS</code>. Specify <code>HTTP_HOST</code> for <code>HTTP</code>. You can specify either or both. </p>
+     * <p>Private Certificate Authority (PCA) used to issue private TLS certificates so that the proxy can present PCA-signed certificates which applications trust through the same root, establishing a secure and consistent trust model for encrypted communication.</p>
      * @public
      */
-    TargetTypes: TargetType[] | undefined;
+    PcaArn?: string | undefined;
     /**
-     * <p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p>
-     *          <note>
-     *             <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications
-     *             generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p>
-     *          </note>
+     * <p>Specifies whether to enable or disable TLS Intercept Mode. </p>
      * @public
      */
-    GeneratedRulesType: GeneratedRulesType | undefined;
+    TlsInterceptMode?: TlsInterceptMode | undefined;
 }
 /**
- * <p>The basic rule criteria for Network Firewall to use to inspect packet headers in stateful
- *          traffic flow inspection. Traffic flows that match the criteria are a match for the
- *          corresponding <a>StatefulRule</a>. </p>
  * @public
  */
-export interface Header {
+export interface CreateProxyRequest {
     /**
-     * <p>The protocol to inspect for. To specify all, you can use <code>IP</code>, because all traffic on Amazon Web Services and on the internet is IP.</p>
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
      * @public
      */
-    Protocol: StatefulRuleProtocol | undefined;
+    ProxyName: string | undefined;
     /**
-     * <p>The source IP address or address range to inspect for, in CIDR notation.
-     *           To match with any address, specify <code>ANY</code>. </p>
-     *          <p>Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. </p>
-     *          <p>Examples: </p>
-     *          <ul>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for the IP address 192.0.2.44, specify <code>192.0.2.44/32</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify <code>192.0.2.0/24</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify <code>1111:0000:0000:0000:0000:0000:0000:0111/128</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify <code>1111:0000:0000:0000:0000:0000:0000:0000/64</code>.</p>
-     *             </li>
-     *          </ul>
-     *          <p>For more information about CIDR notation, see the Wikipedia entry <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">Classless
-     *          Inter-Domain Routing</a>.</p>
+     * <p>A unique identifier for the NAT gateway to use with proxy resources.</p>
      * @public
      */
-    Source: string | undefined;
+    NatGatewayId: string | undefined;
     /**
-     * <p>The source port to inspect for. You can specify an individual port,
-     *  for example <code>1994</code> and you can specify a port range, for example <code>1990:1994</code>.
-     *  To match with any port, specify <code>ANY</code>.</p>
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    SourcePort: string | undefined;
+    ProxyConfigurationName?: string | undefined;
     /**
-     * <p>The direction of traffic flow to inspect. If set to <code>ANY</code>, the inspection
-     *          matches bidirectional traffic, both from the source to the destination and from the
-     *          destination to the source. If set to <code>FORWARD</code>, the inspection only matches
-     *          traffic going from the source to the destination. </p>
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    Direction: StatefulRuleDirection | undefined;
+    ProxyConfigurationArn?: string | undefined;
     /**
-     * <p>The destination IP address or address range to inspect for, in CIDR notation.
-     *           To match with any address, specify <code>ANY</code>. </p>
-     *          <p>Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. </p>
-     *          <p>Examples: </p>
-     *          <ul>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for the IP address 192.0.2.44, specify <code>192.0.2.44/32</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify <code>192.0.2.0/24</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify <code>1111:0000:0000:0000:0000:0000:0000:0111/128</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify <code>1111:0000:0000:0000:0000:0000:0000:0000/64</code>.</p>
-     *             </li>
-     *          </ul>
-     *          <p>For more information about CIDR notation, see the Wikipedia entry <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">Classless
-     *          Inter-Domain Routing</a>.</p>
+     * <p>Listener properties for HTTP and HTTPS traffic.</p>
      * @public
      */
-    Destination: string | undefined;
+    ListenerProperties?: ListenerPropertyRequest[] | undefined;
     /**
-     * <p>The destination port to inspect for. You can specify an individual port,
-     *  for example <code>1994</code> and you can specify a port range, for example <code>1990:1994</code>.
-     *  To match with any port, specify <code>ANY</code>.</p>
+     * <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
      * @public
      */
-    DestinationPort: string | undefined;
+    TlsInterceptProperties: TlsInterceptPropertiesRequest | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
 }
 /**
- * <p>Additional settings for a stateful rule. This is part of the <a>StatefulRule</a> configuration.</p>
+ * <p>Open port for taking HTTP or HTTPS traffic. </p>
  * @public
  */
-export interface RuleOption {
+export interface ListenerProperty {
+    /**
+     * <p>Port for processing traffic.</p>
+     * @public
+     */
+    Port?: number | undefined;
+    /**
+     * <p>Selection of HTTP or HTTPS traffic.</p>
+     * @public
+     */
+    Type?: ListenerPropertyType | undefined;
+}
+/**
+ * <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
+ * @public
+ */
+export interface TlsInterceptProperties {
+    /**
+     * <p>Private Certificate Authority (PCA) used to issue private TLS certificates so that the proxy can present PCA-signed certificates which applications trust through the same root, establishing a secure and consistent trust model for encrypted communication.</p>
+     * @public
+     */
+    PcaArn?: string | undefined;
+    /**
+     * <p>Specifies whether to enable or disable TLS Intercept Mode. </p>
+     * @public
+     */
+    TlsInterceptMode?: TlsInterceptMode | undefined;
+}
+/**
+ * <p>Proxy attached to a NAT gateway. </p>
+ * @public
+ */
+export interface Proxy {
+    /**
+     * <p>Time the Proxy was created. </p>
+     * @public
+     */
+    CreateTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy was deleted. </p>
+     * @public
+     */
+    DeleteTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy was updated. </p>
+     * @public
+     */
+    UpdateTime?: Date | undefined;
+    /**
+     * <p>Failure code for cases when the Proxy fails to attach or update. </p>
+     * @public
+     */
+    FailureCode?: string | undefined;
+    /**
+     * <p>Failure message for cases when the Proxy fails to attach or update. </p>
+     * @public
+     */
+    FailureMessage?: string | undefined;
+    /**
+     * <p>Current attachment/detachment status of the Proxy. </p>
+     * @public
+     */
+    ProxyState?: ProxyState | undefined;
+    /**
+     * <p>Current modification status of the Proxy. </p>
+     * @public
+     */
+    ProxyModifyState?: ProxyModifyState | undefined;
+    /**
+     * <p>The NAT Gateway for the proxy. </p>
+     * @public
+     */
+    NatGatewayId?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+    /**
+     * <p>Listener properties for HTTP and HTTPS traffic. </p>
+     * @public
+     */
+    ListenerProperties?: ListenerProperty[] | undefined;
+    /**
+     * <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
+     * @public
+     */
+    TlsInterceptProperties?: TlsInterceptProperties | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyResponse {
+    /**
+     * <p>Proxy attached to a NAT gateway. </p>
+     * @public
+     */
+    Proxy?: Proxy | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy. The token marks the state of the proxy resource at the time of the request. </p>
+     *          <p>To make changes to the proxy, you provide the token in your request. Network Firewall uses the token to ensure that the proxy hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    ProxyConfigurationName: string | undefined;
+    /**
+     * <p>A description of the proxy configuration. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>The proxy rule group name(s) to attach to the proxy configuration.</p>
+     *          <p>You must specify the ARNs or the names, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupNames?: string[] | undefined;
+    /**
+     * <p>The proxy rule group arn(s) to attach to the proxy configuration.</p>
+     *          <p>You must specify the ARNs or the names, and you can specify both. </p>
+     * @public
+     */
+    RuleGroupArns?: string[] | undefined;
+    /**
+     * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+     * @public
+     */
+    DefaultRulePhaseActions: ProxyConfigDefaultRulePhaseActionsRequest | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyConfigurationResponse {
+    /**
+     * <p>The properties that define the proxy configuration. </p>
+     * @public
+     */
+    ProxyConfiguration?: ProxyConfiguration | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * <p>Match criteria that specify what traffic attributes to examine.</p>
+ * @public
+ */
+export interface ProxyRuleCondition {
+    /**
+     * <p>Defines how to perform a match.</p>
+     * @public
+     */
+    ConditionOperator?: string | undefined;
+    /**
+     * <p>Defines what is to be matched.</p>
+     * @public
+     */
+    ConditionKey?: string | undefined;
+    /**
+     * <p>Specifes the exact value that needs to be matched against.</p>
+     * @public
+     */
+    ConditionValues?: string[] | undefined;
+}
+/**
+ * <p>Individual rules that define match conditions and actions for application-layer traffic. Rules specify what to inspect (domains, headers, methods) and what action to take (allow, deny, alert). </p>
+ * @public
+ */
+export interface CreateProxyRule {
+    /**
+     * <p>The descriptive name of the proxy rule. You can't change the name of a proxy rule after you create it.</p>
+     * @public
+     */
+    ProxyRuleName?: string | undefined;
+    /**
+     * <p>A description of the proxy rule. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Action to take. </p>
+     * @public
+     */
+    Action?: ProxyRulePhaseAction | undefined;
+    /**
+     * <p>Match criteria that specify what traffic attributes to examine. Conditions include operators (StringEquals, StringLike) and values to match against. </p>
+     * @public
+     */
+    Conditions?: ProxyRuleCondition[] | undefined;
+    /**
+     * <p>Where to insert a proxy rule in a proxy rule group. </p>
+     * @public
+     */
+    InsertPosition?: number | undefined;
+}
+/**
+ * <p>Individual rules that define match conditions and actions for application-layer traffic. Rules specify what to inspect (domains, headers, methods) and what action to take (allow, deny, alert). </p>
+ * @public
+ */
+export interface ProxyRule {
+    /**
+     * <p>The descriptive name of the proxy rule. You can't change the name of a proxy rule after you create it.</p>
+     * @public
+     */
+    ProxyRuleName?: string | undefined;
+    /**
+     * <p>A description of the proxy rule. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Action to take. </p>
+     * @public
+     */
+    Action?: ProxyRulePhaseAction | undefined;
+    /**
+     * <p>Match criteria that specify what traffic attributes to examine. Conditions include operators (StringEquals, StringLike) and values to match against. </p>
+     * @public
+     */
+    Conditions?: ProxyRuleCondition[] | undefined;
+}
+/**
+ * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+ * @public
+ */
+export interface ProxyRulesByRequestPhase {
+    /**
+     * <p>Before domain resolution. </p>
+     * @public
+     */
+    PreDNS?: ProxyRule[] | undefined;
+    /**
+     * <p>After DNS, before request.</p>
+     * @public
+     */
+    PreREQUEST?: ProxyRule[] | undefined;
+    /**
+     * <p>After receiving response.</p>
+     * @public
+     */
+    PostRESPONSE?: ProxyRule[] | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyRuleGroupRequest {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName: string | undefined;
+    /**
+     * <p>A description of the proxy rule group. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Individual rules that define match conditions and actions for application-layer traffic. Rules specify what to inspect (domains, headers, methods) and what action to take (allow, deny, alert). </p>
+     * @public
+     */
+    Rules?: ProxyRulesByRequestPhase | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * <p>Collections of related proxy filtering rules. Rule groups help you manage and reuse sets of rules across multiple proxy configurations. </p>
+ * @public
+ */
+export interface ProxyRuleGroup {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>Time the Proxy Rule Group was created. </p>
+     * @public
+     */
+    CreateTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy Rule Group was deleted. </p>
+     * @public
+     */
+    DeleteTime?: Date | undefined;
+    /**
+     * <p>Individual rules that define match conditions and actions for application-layer traffic. Rules specify what to inspect (domains, headers, methods) and what action to take (allow, deny, alert). </p>
+     * @public
+     */
+    Rules?: ProxyRulesByRequestPhase | undefined;
+    /**
+     * <p>A description of the proxy rule group. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyRuleGroupResponse {
+    /**
+     * <p>The properties that define the proxy rule group. </p>
+     * @public
+     */
+    ProxyRuleGroup?: ProxyRuleGroup | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule group. The token marks the state of the proxy rule group resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule group, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule group hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule group again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+ *          <p>This data type is used specifically for the <a>CreateProxyRules</a> API.</p>
+ *          <p>Pre-DNS - before domain resolution.</p>
+ *          <p>Pre-Request - after DNS, before request.</p>
+ *          <p>Post-Response - after receiving response.</p>
+ * @public
+ */
+export interface CreateProxyRulesByRequestPhase {
+    /**
+     * <p>Before domain resolution. </p>
+     * @public
+     */
+    PreDNS?: CreateProxyRule[] | undefined;
+    /**
+     * <p>After DNS, before request.</p>
+     * @public
+     */
+    PreREQUEST?: CreateProxyRule[] | undefined;
+    /**
+     * <p>After receiving response.</p>
+     * @public
+     */
+    PostRESPONSE?: CreateProxyRule[] | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyRulesRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>Individual rules that define match conditions and actions for application-layer traffic. Rules specify what to inspect (domains, headers, methods) and what action to take (allow, deny, alert). </p>
+     * @public
+     */
+    Rules: CreateProxyRulesByRequestPhase | undefined;
+}
+/**
+ * @public
+ */
+export interface CreateProxyRulesResponse {
+    /**
+     * <p>The properties that define the proxy rule group with the newly created proxy rule(s). </p>
+     * @public
+     */
+    ProxyRuleGroup?: ProxyRuleGroup | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule. The token marks the state of the proxy rule resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * <p>Configures one or more IP set references for a Suricata-compatible rule group. This is used in <a>CreateRuleGroup</a> or <a>UpdateRuleGroup</a>. An IP set reference is a rule variable that references resources that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the resource you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references">Using IP set references</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ *          <p>
+ *         Network Firewall currently supports <a href="https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html">Amazon VPC prefix lists</a> and <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references.html#rule-groups-referencing-resource-groups">resource groups</a> in IP set references.
+ *       </p>
+ * @public
+ */
+export interface IPSetReference {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the resource that you are referencing in your rule group.</p>
+     * @public
+     */
+    ReferenceArn?: string | undefined;
+}
+/**
+ * <p>Contains a set of IP set references.</p>
+ * @public
+ */
+export interface ReferenceSets {
+    /**
+     * <p>The list of IP set references.</p>
+     * @public
+     */
+    IPSetReferences?: Record<string, IPSetReference> | undefined;
+}
+/**
+ * <p>Stateful inspection criteria for a domain list rule group. </p>
+ *          <p>For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.</p>
+ *          <p>By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the <code>HOME_NET</code> rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see <a>RuleVariables</a> in this guide and
+ *       <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html">Stateful domain list rule groups in Network Firewall</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ * @public
+ */
+export interface RulesSourceList {
+    /**
+     * <p>The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:</p>
+     *          <ul>
+     *             <li>
+     *                <p>Explicit names. For example, <code>abc.example.com</code> matches only the domain <code>abc.example.com</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>Names that use a domain wildcard, which you indicate with an initial '<code>.</code>'. For example,<code>.example.com</code> matches <code>example.com</code> and matches all subdomains of <code>example.com</code>, such as <code>abc.example.com</code> and <code>www.example.com</code>. </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    Targets: string[] | undefined;
+    /**
+     * <p>The protocols you want to inspect. Specify <code>TLS_SNI</code> for <code>HTTPS</code>. Specify <code>HTTP_HOST</code> for <code>HTTP</code>. You can specify either or both. </p>
+     * @public
+     */
+    TargetTypes: TargetType[] | undefined;
+    /**
+     * <p>Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.</p>
+     *          <note>
+     *             <p>When logging is enabled and you choose Alert, traffic that matches the domain specifications
+     *             generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.</p>
+     *          </note>
+     * @public
+     */
+    GeneratedRulesType: GeneratedRulesType | undefined;
+}
+/**
+ * <p>The basic rule criteria for Network Firewall to use to inspect packet headers in stateful
+ *          traffic flow inspection. Traffic flows that match the criteria are a match for the
+ *          corresponding <a>StatefulRule</a>. </p>
+ * @public
+ */
+export interface Header {
+    /**
+     * <p>The protocol to inspect for. To specify all, you can use <code>IP</code>, because all traffic on Amazon Web Services and on the internet is IP.</p>
+     * @public
+     */
+    Protocol: StatefulRuleProtocol | undefined;
+    /**
+     * <p>The source IP address or address range to inspect for, in CIDR notation.
+     *           To match with any address, specify <code>ANY</code>. </p>
+     *          <p>Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. </p>
+     *          <p>Examples: </p>
+     *          <ul>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for the IP address 192.0.2.44, specify <code>192.0.2.44/32</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify <code>192.0.2.0/24</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify <code>1111:0000:0000:0000:0000:0000:0000:0111/128</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify <code>1111:0000:0000:0000:0000:0000:0000:0000/64</code>.</p>
+     *             </li>
+     *          </ul>
+     *          <p>For more information about CIDR notation, see the Wikipedia entry <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">Classless
+     *          Inter-Domain Routing</a>.</p>
+     * @public
+     */
+    Source: string | undefined;
+    /**
+     * <p>The source port to inspect for. You can specify an individual port,
+     *  for example <code>1994</code> and you can specify a port range, for example <code>1990:1994</code>.
+     *  To match with any port, specify <code>ANY</code>.</p>
+     * @public
+     */
+    SourcePort: string | undefined;
+    /**
+     * <p>The direction of traffic flow to inspect. If set to <code>ANY</code>, the inspection
+     *          matches bidirectional traffic, both from the source to the destination and from the
+     *          destination to the source. If set to <code>FORWARD</code>, the inspection only matches
+     *          traffic going from the source to the destination. </p>
+     * @public
+     */
+    Direction: StatefulRuleDirection | undefined;
+    /**
+     * <p>The destination IP address or address range to inspect for, in CIDR notation.
+     *           To match with any address, specify <code>ANY</code>. </p>
+     *          <p>Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6. </p>
+     *          <p>Examples: </p>
+     *          <ul>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for the IP address 192.0.2.44, specify <code>192.0.2.44/32</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify <code>192.0.2.0/24</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify <code>1111:0000:0000:0000:0000:0000:0000:0111/128</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify <code>1111:0000:0000:0000:0000:0000:0000:0000/64</code>.</p>
+     *             </li>
+     *          </ul>
+     *          <p>For more information about CIDR notation, see the Wikipedia entry <a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing">Classless
+     *          Inter-Domain Routing</a>.</p>
+     * @public
+     */
+    Destination: string | undefined;
+    /**
+     * <p>The destination port to inspect for. You can specify an individual port,
+     *  for example <code>1994</code> and you can specify a port range, for example <code>1990:1994</code>.
+     *  To match with any port, specify <code>ANY</code>.</p>
+     * @public
+     */
+    DestinationPort: string | undefined;
+}
+/**
+ * <p>Additional settings for a stateful rule. This is part of the <a>StatefulRule</a> configuration.</p>
+ * @public
+ */
+export interface RuleOption {
     /**
      * <p>The keyword for the Suricata compatible rule option. You must include a <code>sid</code> (signature ID), and can optionally include other keywords. For information about Suricata compatible keywords, see <a href="https://suricata.readthedocs.io/en/suricata-7.0.3/rules/intro.html#rule-options">Rule options</a> in the Suricata documentation.</p>
      * @public
@@ -2787,49 +3449,187 @@ export interface DeleteNetworkFirewallTransitGatewayAttachmentResponse {
      */
     TransitGatewayAttachmentId: string | undefined;
     /**
-     * <p>The current status of the transit gateway attachment deletion process.</p>
-     *          <p>Valid values are:</p>
-     *          <ul>
-     *             <li>
-     *                <p>
-     *                   <code>CREATING</code> - The attachment is being created</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>DELETING</code> - The attachment is being deleted</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>DELETED</code> - The attachment has been deleted</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>READY</code> - The attachment is active and processing traffic</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>REJECTED</code> - The attachment has been rejected</p>
-     *             </li>
-     *          </ul>
+     * <p>The current status of the transit gateway attachment deletion process.</p>
+     *          <p>Valid values are:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>CREATING</code> - The attachment is being created</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETING</code> - The attachment is being deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>DELETED</code> - The attachment has been deleted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FAILED</code> - The attachment creation has failed and cannot be recovered</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>ERROR</code> - The attachment is in an error state that might be recoverable</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>READY</code> - The attachment is active and processing traffic</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PENDING_ACCEPTANCE</code> - The attachment is waiting to be accepted</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTING</code> - The attachment is in the process of being rejected</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>REJECTED</code> - The attachment has been rejected</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyRequest {
+    /**
+     * <p>The NAT Gateway the proxy is attached to. </p>
+     * @public
+     */
+    NatGatewayId: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyResponse {
+    /**
+     * <p>The NAT Gateway the Proxy was attached to. </p>
+     * @public
+     */
+    NatGatewayId?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyConfigurationResponse {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyRuleGroupRequest {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyRuleGroupResponse {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyRulesRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The proxy rule(s) to remove from the existing proxy rule group. </p>
+     * @public
+     */
+    Rules: string[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DeleteProxyRulesResponse {
+    /**
+     * <p>The properties that define the proxy rule group with the newly created proxy rule(s). </p>
      * @public
      */
-    TransitGatewayAttachmentStatus: TransitGatewayAttachmentStatus | undefined;
+    ProxyRuleGroup?: ProxyRuleGroup | undefined;
 }
 /**
  * @public
@@ -3199,138 +3999,366 @@ export interface DescribeFlowOperationResponse {
      */
     StatusMessage?: string | undefined;
     /**
-     * <p>A timestamp indicating when the Suricata engine identified flows impacted by an operation. </p>
+     * <p>A timestamp indicating when the Suricata engine identified flows impacted by an operation. </p>
+     * @public
+     */
+    FlowRequestTimestamp?: Date | undefined;
+    /**
+     * <p>Returns key information about a flow operation, such as related statuses, unique identifiers, and all filters defined in the operation.</p>
+     * @public
+     */
+    FlowOperation?: FlowOperation | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeLoggingConfigurationRequest {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    FirewallName?: string | undefined;
+}
+/**
+ * <p>Defines where Network Firewall sends logs for the firewall for one log type. This is used
+ *          in <a>LoggingConfiguration</a>. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream.</p>
+ *          <p>Network Firewall generates logs for stateful rule groups. You can save alert, flow, and TLS log
+ *           types. </p>
+ * @public
+ */
+export interface LogDestinationConfig {
+    /**
+     * <p>The type of log to record. You can record the following types of logs from your Network Firewall stateful engine.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>ALERT</code> - Logs for traffic that matches your stateful rules and that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT. For more information, see <a>StatefulRule</a>.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>FLOW</code> - Standard network traffic flow logs. The stateful rules engine records flow logs for all network traffic that it receives. Each flow log record captures the network flow for a specific standard stateless rule group.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>TLS</code> - Logs for events that are related to TLS inspection. For more information, see
+     *           <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html">Inspecting SSL/TLS traffic with TLS inspection configurations</a>
+     *               in the <i>Network Firewall Developer Guide</i>.</p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    LogType: LogType | undefined;
+    /**
+     * <p>The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket,
+     *          a CloudWatch log group, or a Firehose delivery stream.</p>
+     * @public
+     */
+    LogDestinationType: LogDestinationType | undefined;
+    /**
+     * <p>The named location for the logs, provided in a key:value mapping that is specific to the
+     *          chosen destination type. </p>
+     *          <ul>
+     *             <li>
+     *                <p>For an Amazon S3 bucket, provide the name of the bucket, with key <code>bucketName</code>,
+     *             and optionally provide a prefix, with key <code>prefix</code>. </p>
+     *                <p>The following example specifies an Amazon S3 bucket named <code>DOC-EXAMPLE-BUCKET</code> and the prefix <code>alerts</code>: </p>
+     *                <p>
+     *                   <code>"LogDestination": \{ "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts"
+     *                   \}</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>For a CloudWatch log group, provide the name of the CloudWatch log group, with key
+     *                   <code>logGroup</code>. The following example specifies a log group named
+     *                   <code>alert-log-group</code>: </p>
+     *                <p>
+     *                   <code>"LogDestination": \{ "logGroup": "alert-log-group" \}</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>For a Firehose delivery stream, provide the name of the delivery stream, with key
+     *                   <code>deliveryStream</code>. The following example specifies a delivery stream
+     *                named <code>alert-delivery-stream</code>: </p>
+     *                <p>
+     *                   <code>"LogDestination": \{ "deliveryStream": "alert-delivery-stream"
+     *                \}</code>
+     *                </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    LogDestination: Record<string, string> | undefined;
+}
+/**
+ * <p>Defines how Network Firewall performs logging for a <a>Firewall</a>. </p>
+ * @public
+ */
+export interface LoggingConfiguration {
+    /**
+     * <p>Defines the logging destinations for the logs for a firewall. Network Firewall generates
+     *          logs for stateful rule groups. </p>
+     * @public
+     */
+    LogDestinationConfigs: LogDestinationConfig[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeLoggingConfigurationResponse {
+    /**
+     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * @public
+     */
+    FirewallArn?: string | undefined;
+    /**
+     * <p>Defines how Network Firewall performs logging for a <a>Firewall</a>. </p>
+     * @public
+     */
+    LoggingConfiguration?: LoggingConfiguration | undefined;
+    /**
+     * <p>A boolean that reflects whether or not the firewall monitoring dashboard is enabled on a firewall.</p>
+     *          <p>
+     *          Returns <code>TRUE</code> when the firewall monitoring dashboard is enabled on the firewall.
+     *          Returns <code>FALSE</code> when the firewall monitoring dashboard is not enabled on the firewall.
+     *       </p>
+     * @public
+     */
+    EnableMonitoringDashboard?: boolean | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeProxyRequest {
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+}
+/**
+ * <p>Proxy attached to a NAT gateway. </p>
+ * @public
+ */
+export interface DescribeProxyResource {
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>The NAT Gateway for the proxy. </p>
+     * @public
+     */
+    NatGatewayId?: string | undefined;
+    /**
+     * <p>Current attachment/detachment status of the Proxy. </p>
+     * @public
+     */
+    ProxyState?: ProxyState | undefined;
+    /**
+     * <p>Current modification status of the Proxy. </p>
+     * @public
+     */
+    ProxyModifyState?: ProxyModifyState | undefined;
+    /**
+     * <p>Listener properties for HTTP and HTTPS traffic. </p>
+     * @public
+     */
+    ListenerProperties?: ListenerProperty[] | undefined;
+    /**
+     * <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
+     * @public
+     */
+    TlsInterceptProperties?: TlsInterceptProperties | undefined;
+    /**
+     * <p>The service endpoint created in the VPC. </p>
+     * @public
+     */
+    VpcEndpointServiceName?: string | undefined;
+    /**
+     * <p>The private DNS name of the Proxy. </p>
+     * @public
+     */
+    PrivateDNSName?: string | undefined;
+    /**
+     * <p>Time the Proxy was created. </p>
+     * @public
+     */
+    CreateTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy was deleted. </p>
+     * @public
+     */
+    DeleteTime?: Date | undefined;
+    /**
+     * <p>Time the Proxy was updated. </p>
+     * @public
+     */
+    UpdateTime?: Date | undefined;
+    /**
+     * <p>Failure code for cases when the Proxy fails to attach or update. </p>
+     * @public
+     */
+    FailureCode?: string | undefined;
+    /**
+     * <p>Failure message for cases when the Proxy fails to attach or update. </p>
+     * @public
+     */
+    FailureMessage?: string | undefined;
+    /**
+     * <p>The key:value pairs to associate with the resource.</p>
+     * @public
+     */
+    Tags?: Tag[] | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeProxyResponse {
+    /**
+     * <p>Proxy attached to a NAT gateway. </p>
+     * @public
+     */
+    Proxy?: DescribeProxyResource | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy. The token marks the state of the proxy resource at the time of the request. </p>
+     *          <p>To make changes to the proxy, you provide the token in your request. Network Firewall uses the token to ensure that the proxy hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    FlowRequestTimestamp?: Date | undefined;
+    ProxyConfigurationName?: string | undefined;
     /**
-     * <p>Returns key information about a flow operation, such as related statuses, unique identifiers, and all filters defined in the operation.</p>
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    FlowOperation?: FlowOperation | undefined;
+    ProxyConfigurationArn?: string | undefined;
 }
 /**
  * @public
  */
-export interface DescribeLoggingConfigurationRequest {
+export interface DescribeProxyConfigurationResponse {
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
-     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * <p>The configuration for the specified proxy configuration. </p>
      * @public
      */
-    FirewallArn?: string | undefined;
+    ProxyConfiguration?: ProxyConfiguration | undefined;
     /**
-     * <p>The descriptive name of the firewall. You can't change the name of a firewall after you create it.</p>
-     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
      * @public
      */
-    FirewallName?: string | undefined;
+    UpdateToken?: string | undefined;
 }
 /**
- * <p>Defines where Network Firewall sends logs for the firewall for one log type. This is used
- *          in <a>LoggingConfiguration</a>. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream.</p>
- *          <p>Network Firewall generates logs for stateful rule groups. You can save alert, flow, and TLS log
- *           types. </p>
  * @public
  */
-export interface LogDestinationConfig {
+export interface DescribeProxyRuleRequest {
     /**
-     * <p>The type of log to record. You can record the following types of logs from your Network Firewall stateful engine.</p>
-     *          <ul>
-     *             <li>
-     *                <p>
-     *                   <code>ALERT</code> - Logs for traffic that matches your stateful rules and that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT. For more information, see <a>StatefulRule</a>.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>FLOW</code> - Standard network traffic flow logs. The stateful rules engine records flow logs for all network traffic that it receives. Each flow log record captures the network flow for a specific standard stateless rule group.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>TLS</code> - Logs for events that are related to TLS inspection. For more information, see
-     *           <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html">Inspecting SSL/TLS traffic with TLS inspection configurations</a>
-     *               in the <i>Network Firewall Developer Guide</i>.</p>
-     *             </li>
-     *          </ul>
+     * <p>The descriptive name of the proxy rule. You can't change the name of a proxy rule after you create it.</p>
      * @public
      */
-    LogType: LogType | undefined;
+    ProxyRuleName: string | undefined;
     /**
-     * <p>The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket,
-     *          a CloudWatch log group, or a Firehose delivery stream.</p>
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    LogDestinationType: LogDestinationType | undefined;
+    ProxyRuleGroupName?: string | undefined;
     /**
-     * <p>The named location for the logs, provided in a key:value mapping that is specific to the
-     *          chosen destination type. </p>
-     *          <ul>
-     *             <li>
-     *                <p>For an Amazon S3 bucket, provide the name of the bucket, with key <code>bucketName</code>,
-     *             and optionally provide a prefix, with key <code>prefix</code>. </p>
-     *                <p>The following example specifies an Amazon S3 bucket named <code>DOC-EXAMPLE-BUCKET</code> and the prefix <code>alerts</code>: </p>
-     *                <p>
-     *                   <code>"LogDestination": \{ "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts"
-     *                   \}</code>
-     *                </p>
-     *             </li>
-     *             <li>
-     *                <p>For a CloudWatch log group, provide the name of the CloudWatch log group, with key
-     *                   <code>logGroup</code>. The following example specifies a log group named
-     *                   <code>alert-log-group</code>: </p>
-     *                <p>
-     *                   <code>"LogDestination": \{ "logGroup": "alert-log-group" \}</code>
-     *                </p>
-     *             </li>
-     *             <li>
-     *                <p>For a Firehose delivery stream, provide the name of the delivery stream, with key
-     *                   <code>deliveryStream</code>. The following example specifies a delivery stream
-     *                named <code>alert-delivery-stream</code>: </p>
-     *                <p>
-     *                   <code>"LogDestination": \{ "deliveryStream": "alert-delivery-stream"
-     *                \}</code>
-     *                </p>
-     *             </li>
-     *          </ul>
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    LogDestination: Record<string, string> | undefined;
+    ProxyRuleGroupArn?: string | undefined;
 }
 /**
- * <p>Defines how Network Firewall performs logging for a <a>Firewall</a>. </p>
  * @public
  */
-export interface LoggingConfiguration {
+export interface DescribeProxyRuleResponse {
     /**
-     * <p>Defines the logging destinations for the logs for a firewall. Network Firewall generates
-     *          logs for stateful rule groups. </p>
+     * <p>The configuration for the specified proxy rule. </p>
      * @public
      */
-    LogDestinationConfigs: LogDestinationConfig[] | undefined;
+    ProxyRule?: ProxyRule | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule. The token marks the state of the proxy rule resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public
  */
-export interface DescribeLoggingConfigurationResponse {
+export interface DescribeProxyRuleGroupRequest {
     /**
-     * <p>The Amazon Resource Name (ARN) of the firewall.</p>
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    FirewallArn?: string | undefined;
+    ProxyRuleGroupName?: string | undefined;
     /**
-     * <p>Defines how Network Firewall performs logging for a <a>Firewall</a>. </p>
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
      * @public
      */
-    LoggingConfiguration?: LoggingConfiguration | undefined;
+    ProxyRuleGroupArn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DescribeProxyRuleGroupResponse {
     /**
-     * <p>A boolean that reflects whether or not the firewall monitoring dashboard is enabled on a firewall.</p>
-     *          <p>
-     *          Returns <code>TRUE</code> when the firewall monitoring dashboard is enabled on the firewall.
-     *          Returns <code>FALSE</code> when the firewall monitoring dashboard is not enabled on the firewall.
-     *       </p>
+     * <p>The configuration for the specified proxy rule group. </p>
      * @public
      */
-    EnableMonitoringDashboard?: boolean | undefined;
+    ProxyRuleGroup?: ProxyRuleGroup | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule group. The token marks the state of the proxy rule group resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule group, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule group hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule group again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
 }
 /**
  * @public
@@ -3676,6 +4704,55 @@ export interface DescribeVpcEndpointAssociationResponse {
      */
     VpcEndpointAssociationStatus?: VpcEndpointAssociationStatus | undefined;
 }
+/**
+ * @public
+ */
+export interface DetachRuleGroupsFromProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>The proxy rule group names to detach from the proxy configuration</p>
+     * @public
+     */
+    RuleGroupNames?: string[] | undefined;
+    /**
+     * <p>The proxy rule group arns to detach from the proxy configuration</p>
+     * @public
+     */
+    RuleGroupArns?: string[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface DetachRuleGroupsFromProxyConfigurationResponse {
+    /**
+     * <p>The updated proxy configuration resource that reflects the updates from the request.</p>
+     * @public
+     */
+    ProxyConfiguration?: ProxyConfiguration | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
 /**
  * @public
  */
@@ -4239,22 +5316,170 @@ export interface ListFlowOperationsRequest {
      *          <p>Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.</p>
      * @public
      */
-    AvailabilityZone?: string | undefined;
+    AvailabilityZone?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a VPC endpoint association.</p>
+     * @public
+     */
+    VpcEndpointAssociationArn?: string | undefined;
+    /**
+     * <p>A unique identifier for the primary endpoint associated with a firewall.</p>
+     * @public
+     */
+    VpcEndpointId?: string | undefined;
+    /**
+     * <p>An optional string that defines whether any or all operation types are returned.</p>
+     * @public
+     */
+    FlowOperationType?: FlowOperationType | undefined;
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+    /**
+     * <p>The maximum number of objects that you want Network Firewall to return for this request. If more
+     *           objects are available, in the response, Network Firewall provides a
+     *          <code>NextToken</code> value that you can use in a subsequent call to get the next batch of objects.</p>
+     * @public
+     */
+    MaxResults?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface ListFlowOperationsResponse {
+    /**
+     * <p>Flow operations let you manage the flows tracked in the flow table, also known as the firewall table.</p>
+     *          <p>A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules.
+     * For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort. </p>
+     * @public
+     */
+    FlowOperations?: FlowOperationMetadata[] | undefined;
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxiesRequest {
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+    /**
+     * <p>The maximum number of objects that you want Network Firewall to return for this request. If more
+     *           objects are available, in the response, Network Firewall provides a
+     *          <code>NextToken</code> value that you can use in a subsequent call to get the next batch of objects.</p>
+     * @public
+     */
+    MaxResults?: number | undefined;
+}
+/**
+ * <p>High-level information about a proxy, returned by operations like create and
+ *             describe. You can use the information provided in the metadata to retrieve and manage a
+ *             proxy. You can retrieve all objects for a proxy by calling <a>DescribeProxy</a>. </p>
+ * @public
+ */
+export interface ProxyMetadata {
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     * @public
+     */
+    Name?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     * @public
+     */
+    Arn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxiesResponse {
+    /**
+     * <p>The metadata for the proxies. Depending on your setting for max results and
+     *             the number of proxies that you have, this might not be the full list. </p>
+     * @public
+     */
+    Proxies?: ProxyMetadata[] | undefined;
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxyConfigurationsRequest {
+    /**
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+    /**
+     * <p>The maximum number of objects that you want Network Firewall to return for this request. If more
+     *           objects are available, in the response, Network Firewall provides a
+     *          <code>NextToken</code> value that you can use in a subsequent call to get the next batch of objects.</p>
+     * @public
+     */
+    MaxResults?: number | undefined;
+}
+/**
+ * <p>High-level information about a proxy configuration, returned by operations like create and
+ *             describe. You can use the information provided in the metadata to retrieve and manage a
+ *             proxy configuration. You can retrieve all objects for a proxy configuration by calling <a>DescribeProxyConfiguration</a>. </p>
+ * @public
+ */
+export interface ProxyConfigurationMetadata {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     * @public
+     */
+    Name?: string | undefined;
     /**
-     * <p>The Amazon Resource Name (ARN) of a VPC endpoint association.</p>
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
      * @public
      */
-    VpcEndpointAssociationArn?: string | undefined;
+    Arn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxyConfigurationsResponse {
     /**
-     * <p>A unique identifier for the primary endpoint associated with a firewall.</p>
+     * <p>The metadata for the proxy configurations. Depending on your setting for max results and
+     *             the number of proxy configurations that you have, this might not be the full list. </p>
      * @public
      */
-    VpcEndpointId?: string | undefined;
+    ProxyConfigurations?: ProxyConfigurationMetadata[] | undefined;
     /**
-     * <p>An optional string that defines whether any or all operation types are returned.</p>
+     * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
+     *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
+     *          value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.</p>
      * @public
      */
-    FlowOperationType?: FlowOperationType | undefined;
+    NextToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxyRuleGroupsRequest {
     /**
      * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
      *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
@@ -4271,16 +5496,33 @@ export interface ListFlowOperationsRequest {
     MaxResults?: number | undefined;
 }
 /**
+ * <p>High-level information about a proxy rule group, returned by operations like create and
+ *             describe. You can use the information provided in the metadata to retrieve and manage a
+ *             proxy rule group. You can retrieve all objects for a proxy rule group by calling <a>DescribeProxyRuleGroup</a>. </p>
  * @public
  */
-export interface ListFlowOperationsResponse {
+export interface ProxyRuleGroupMetadata {
     /**
-     * <p>Flow operations let you manage the flows tracked in the flow table, also known as the firewall table.</p>
-     *          <p>A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules.
-     * For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort. </p>
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
      * @public
      */
-    FlowOperations?: FlowOperationMetadata[] | undefined;
+    Name?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     * @public
+     */
+    Arn?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface ListProxyRuleGroupsResponse {
+    /**
+     * <p>The metadata for the proxy rule groups. Depending on your setting for max results and
+     *             the number of proxy rule groups that you have, this might not be the full list. </p>
+     * @public
+     */
+    ProxyRuleGroups?: ProxyRuleGroupMetadata[] | undefined;
     /**
      * <p>When you request a list of objects with a <code>MaxResults</code> setting, if the number of objects that are still available
      *          for retrieval exceeds the maximum you requested, Network Firewall returns a <code>NextToken</code>
@@ -5309,6 +6551,334 @@ export interface UpdateLoggingConfigurationResponse {
      */
     EnableMonitoringDashboard?: boolean | undefined;
 }
+/**
+ * @public
+ */
+export interface UpdateProxyRequest {
+    /**
+     * <p>The NAT Gateway the proxy is attached to. </p>
+     * @public
+     */
+    NatGatewayId: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy. You can't change the name of a proxy after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyArn?: string | undefined;
+    /**
+     * <p>Listener properties for HTTP and HTTPS traffic to add. </p>
+     * @public
+     */
+    ListenerPropertiesToAdd?: ListenerPropertyRequest[] | undefined;
+    /**
+     * <p>Listener properties for HTTP and HTTPS traffic to remove. </p>
+     * @public
+     */
+    ListenerPropertiesToRemove?: ListenerPropertyRequest[] | undefined;
+    /**
+     * <p>TLS decryption on traffic to filter on attributes in the HTTP header. </p>
+     * @public
+     */
+    TlsInterceptProperties?: TlsInterceptPropertiesRequest | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy. The token marks the state of the proxy resource at the time of the request. </p>
+     *          <p>To make changes to the proxy, you provide the token in your request. Network Firewall uses the token to ensure that the proxy hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyResponse {
+    /**
+     * <p>The updated proxy resource that reflects the updates from the request.</p>
+     * @public
+     */
+    Proxy?: Proxy | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy. The token marks the state of the proxy resource at the time of the request. </p>
+     *          <p>To make changes to the proxy, you provide the token in your request. Network Firewall uses the token to ensure that the proxy hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyConfigurationRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+     * @public
+     */
+    DefaultRulePhaseActions: ProxyConfigDefaultRulePhaseActionsRequest | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyConfigurationResponse {
+    /**
+     * <p>The updated proxy configuration resource that reflects the updates from the request.</p>
+     * @public
+     */
+    ProxyConfiguration?: ProxyConfiguration | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRuleRequest {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>The descriptive name of the proxy rule. You can't change the name of a proxy rule after you create it.</p>
+     * @public
+     */
+    ProxyRuleName: string | undefined;
+    /**
+     * <p>A description of the proxy rule. </p>
+     * @public
+     */
+    Description?: string | undefined;
+    /**
+     * <p>Depending on the match action, the proxy either stops the evaluation (if the action is terminal - allow or deny), or continues it (if the action is alert) until it matches a rule with a terminal action. </p>
+     * @public
+     */
+    Action?: ProxyRulePhaseAction | undefined;
+    /**
+     * <p>Proxy rule conditions to add. Match criteria that specify what traffic attributes to examine. Conditions include operators (StringEquals, StringLike) and values to match against.  </p>
+     * @public
+     */
+    AddConditions?: ProxyRuleCondition[] | undefined;
+    /**
+     * <p>Proxy rule conditions to remove. Match criteria that specify what traffic attributes to examine. Conditions include operators (StringEquals, StringLike) and values to match against.  </p>
+     * @public
+     */
+    RemoveConditions?: ProxyRuleCondition[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule. The token marks the state of the proxy rule resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRuleResponse {
+    /**
+     * <p>The updated proxy rule resource that reflects the updates from the request.</p>
+     * @public
+     */
+    ProxyRule?: ProxyRule | undefined;
+    /**
+     * <p>Proxy rule conditions removed from the rule. </p>
+     * @public
+     */
+    RemovedConditions?: ProxyRuleCondition[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule. The token marks the state of the proxy rule resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * <p>Proxy rule group name and new desired position. </p>
+ * @public
+ */
+export interface ProxyRuleGroupPriority {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>Where to move a proxy rule group in a proxy configuration. </p>
+     * @public
+     */
+    NewPosition?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRuleGroupPrioritiesRequest {
+    /**
+     * <p>The descriptive name of the proxy configuration. You can't change the name of a proxy configuration after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy configuration.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyConfigurationArn?: string | undefined;
+    /**
+     * <p>proxy rule group resources to update to new positions. </p>
+     * @public
+     */
+    RuleGroups: ProxyRuleGroupPriority[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * <p>Proxy rule group along with its priority. </p>
+ * @public
+ */
+export interface ProxyRuleGroupPriorityResult {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>Priority of the proxy rule group in the proxy configuration. </p>
+     * @public
+     */
+    Priority?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRuleGroupPrioritiesResponse {
+    /**
+     * <p>The updated proxy rule group hierarchy that reflects the updates from the request.</p>
+     * @public
+     */
+    ProxyRuleGroups?: ProxyRuleGroupPriorityResult[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy configuration. The token marks the state of the proxy configuration resource at the time of the request. </p>
+     *          <p>To make changes to the proxy configuration, you provide the token in your request. Network Firewall uses the token to ensure that the proxy configuration hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy configuration again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
+/**
+ * <p>Proxy rule name and new desired position. </p>
+ * @public
+ */
+export interface ProxyRulePriority {
+    /**
+     * <p>The descriptive name of the proxy rule. You can't change the name of a proxy rule after you create it.</p>
+     * @public
+     */
+    ProxyRuleName?: string | undefined;
+    /**
+     * <p>Where to move a proxy rule in a proxy rule group. </p>
+     * @public
+     */
+    NewPosition?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRulePrioritiesRequest {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     *          <p>You must specify the ARN or the name, and you can specify both. </p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+     * @public
+     */
+    RuleGroupRequestPhase: RuleGroupRequestPhase | undefined;
+    /**
+     * <p>proxy rule resources to update to new positions. </p>
+     * @public
+     */
+    Rules: ProxyRulePriority[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule group. The token marks the state of the proxy rule group resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule group, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule group hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule group again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateProxyRulePrioritiesResponse {
+    /**
+     * <p>The descriptive name of the proxy rule group. You can't change the name of a proxy rule group after you create it.</p>
+     * @public
+     */
+    ProxyRuleGroupName?: string | undefined;
+    /**
+     * <p>The Amazon Resource Name (ARN) of a proxy rule group.</p>
+     * @public
+     */
+    ProxyRuleGroupArn?: string | undefined;
+    /**
+     * <p>Evaluation points in the traffic flow where rules are applied. There are three phases in a traffic where the rule match is applied. </p>
+     * @public
+     */
+    RuleGroupRequestPhase?: RuleGroupRequestPhase | undefined;
+    /**
+     * <p>The updated proxy rule hierarchy that reflects the updates from the request.</p>
+     * @public
+     */
+    Rules?: ProxyRulePriority[] | undefined;
+    /**
+     * <p>A token used for optimistic locking. Network Firewall returns a token to your requests that access the proxy rule group. The token marks the state of the proxy rule group resource at the time of the request. </p>
+     *          <p>To make changes to the proxy rule group, you provide the token in your request. Network Firewall uses the token to ensure that the proxy rule group hasn't changed since you last retrieved it. If it has changed, the operation fails with an <code>InvalidTokenException</code>. If this happens, retrieve the proxy rule group again to get a current copy of it with a current token. Reapply your changes as needed, then try the operation again using the new token. </p>
+     * @public
+     */
+    UpdateToken?: string | undefined;
+}
 /**
  * @public
  */