Firewall
networkfirewall.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | networkfirewall-controller/apis/v1alpha1#Firewall |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Firewall |
| ListKind | FirewallList |
| Plural | firewalls |
| Singular | firewall |
The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.
The status of the firewall, for example whether it’s ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.
Spec
deleteProtection: boolean
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallName: string
firewallPolicyARN: string
firewallPolicyChangeProtection: boolean
loggingConfiguration:
logDestinationConfigs:
logDestination: {}
logDestinationType: string
logType: string
subnetChangeProtection: boolean
subnetMappings:
- ipAddressType: string
subnetID: string
tags:
- key: string
value: string
vpcID: string
| Field | Description |
|---|---|
| deleteProtection Optional | boolean A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to TRUE. |
| description Optional | string A description of the firewall. |
| encryptionConfiguration Optional | object A complex type that contains settings for encryption of your firewall resources. |
| encryptionConfiguration.keyID Optional | string |
| **encryptionConfiguration.type_** Optional | string |
| firewallName Required | string The descriptive name of the firewall. You can’t change the name of a firewall after you create it. |
| firewallPolicyARN Required | string The Amazon Resource Name (ARN) of the FirewallPolicy that you want to use for the firewall. |
| firewallPolicyChangeProtection Optional | boolean A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE. |
| loggingConfiguration Optional | object Defines how Network Firewall performs logging for a firewall. If you omit this setting, Network Firewall disables logging for the firewall. |
| loggingConfiguration.logDestinationConfigs Optional | array |
| loggingConfiguration.logDestinationConfigs.[] Required | object Defines where Network Firewall sends logs for the firewall for one log type. |
| This is used in LoggingConfiguration. You can send each type of log to an | |
| Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream. |
Network Firewall generates logs for stateful rule groups. You can save alert,
flow, and TLS log types. || loggingConfiguration.logDestinationConfigs.[].logDestination
Optional | object
|
| loggingConfiguration.logDestinationConfigs.[].logDestinationType
Optional | string
|
| loggingConfiguration.logDestinationConfigs.[].logType
Optional | string
|
| subnetChangeProtection
Optional | boolean
A setting indicating whether the firewall is protected against changes to
the subnet associations. Use this setting to protect against accidentally
modifying the subnet associations for a firewall that is in use. When you
create a firewall, the operation initializes this setting to TRUE. |
| subnetMappings
Required | array
The public subnets to use for your Network Firewall firewalls. Each subnet
must belong to a different Availability Zone in the VPC. Network Firewall
creates a firewall endpoint in each subnet. |
| subnetMappings.[]
Required | object
The ID for a subnet that you want to associate with the firewall. This is
used with CreateFirewall and AssociateSubnets. Network Firewall creates an
instance of the associated firewall in each subnet that you specify, to filter
traffic in the subnet’s Availability Zone. || subnetMappings.[].ipAddressType
Optional | string
|
| subnetMappings.[].subnetID
Optional | string
|
| tags
Optional | array
The key:value pairs to associate with the resource. |
| tags.[]
Required | object
A key:value pair associated with an Amazon Web Services resource. The key:value
pair can be anything you define. Typically, the tag key represents a category
(such as “environment”) and the tag value represents a specific value within
that category (such as “test,” “development,” or “production”). You can add
up to 50 tags to each Amazon Web Services resource. || tags.[].key
Optional | string
|
| tags.[].value
Optional | string
|
| vpcID
Required | string
The unique identifier of the VPC where Network Firewall should create the
firewall.
You can’t change this setting after you create the firewall. |
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
firewall:
deleteProtection: boolean
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallARN: string
firewallID: string
firewallName: string
firewallPolicyARN: string
firewallPolicyChangeProtection: boolean
subnetChangeProtection: boolean
subnetMappings:
- ipAddressType: string
subnetID: string
tags:
- key: string
value: string
vpcID: string
firewallStatus:
capacityUsageSummary:
cidrs:
availableCIDRCount: integer
ipSetReferences: {}
utilizedCIDRCount: integer
configurationSyncStateSummary: string
status: string
syncStates: {}
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| conditions Optional | array All CRs managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| firewall Optional | object The configuration settings for the firewall. These settings include the firewall policy and the subnets in your VPC to use for the firewall endpoints. |
| firewall.deleteProtection Optional | boolean |
| firewall.description Optional | string |
| firewall.encryptionConfiguration Optional | object A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html) in the Network Firewall Developer Guide. |
| firewall.encryptionConfiguration.keyID Optional | string |
| **firewall.encryptionConfiguration.type_** Optional | string |
| firewall.firewallARN Optional | string |
| firewall.firewallID Optional | string |
| firewall.firewallName Optional | string |
| firewall.firewallPolicyARN Optional | string |
| firewall.firewallPolicyChangeProtection Optional | boolean |
| firewall.subnetChangeProtection Optional | boolean |
| firewall.subnetMappings Optional | array |
| firewall.subnetMappings.[] Required | object The ID for a subnet that you want to associate with the firewall. This is |
| used with CreateFirewall and AssociateSubnets. Network Firewall creates an | |
| instance of the associated firewall in each subnet that you specify, to filter | |
| traffic in the subnet’s Availability Zone. | |
| firewall.subnetMappings.[].subnetID Optional | string |
| firewall.tags Optional | array |
| firewall.tags.[] Required | object A key:value pair associated with an Amazon Web Services resource. The key:value |
| pair can be anything you define. Typically, the tag key represents a category | |
| (such as “environment”) and the tag value represents a specific value within | |
| that category (such as “test,” “development,” or “production”). You can add | |
| up to 50 tags to each Amazon Web Services resource. | |
| firewall.tags.[].value Optional | string |
| firewall.vpcID Optional | string |
| firewallStatus Optional | object Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN. |
| firewallStatus.capacityUsageSummary Optional | object The capacity usage summary of the resources used by the ReferenceSets in a firewall. |
| firewallStatus.capacityUsageSummary.cidrs Optional | object Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing. |
| firewallStatus.capacityUsageSummary.cidrs.availableCIDRCount Optional | integer |
| firewallStatus.capacityUsageSummary.cidrs.ipSetReferences Optional | object |
| firewallStatus.capacityUsageSummary.cidrs.utilizedCIDRCount Optional | integer |
| firewallStatus.configurationSyncStateSummary Optional | string |
| firewallStatus.status Optional | string |
| firewallStatus.syncStates Optional | object |