Firewall
networkfirewall.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | networkfirewall-controller/apis/v1alpha1#Firewall |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | Firewall |
| ListKind | FirewallList |
| Plural | firewalls |
| Singular | firewall |
The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.
The status of the firewall, for example whether it’s ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.
Spec
deleteProtection: boolean
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallName: string
firewallPolicyARN: string
firewallPolicyChangeProtection: boolean
subnetChangeProtection: boolean
subnetMappings:
- iPAddressType: string
subnetID: string
tags:
- key: string
value: string
vpcID: string
| Field | Description |
|---|---|
| deleteProtection Optional | boolean A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to TRUE. |
| description Optional | string A description of the firewall. |
| encryptionConfiguration Optional | object A complex type that contains settings for encryption of your firewall resources. |
| encryptionConfiguration.keyID Optional | string |
| **encryptionConfiguration.type_** Optional | string |
| firewallName Required | string The descriptive name of the firewall. You can’t change the name of a firewall after you create it. |
| firewallPolicyARN Required | string The Amazon Resource Name (ARN) of the FirewallPolicy that you want to use for the firewall. |
| firewallPolicyChangeProtection Optional | boolean A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE. |
| subnetChangeProtection Optional | boolean A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE. |
| subnetMappings Required | array The public subnets to use for your Network Firewall firewalls. Each subnet must belong to a different Availability Zone in the VPC. Network Firewall creates a firewall endpoint in each subnet. |
| subnetMappings.[] Required | object The ID for a subnet that you want to associate with the firewall. This is |
| used with CreateFirewall and AssociateSubnets. Network Firewall creates an | |
| instance of the associated firewall in each subnet that you specify, to filter | |
| traffic in the subnet’s Availability Zone. | |
| subnetMappings.[].subnetID Optional | string |
| tags Optional | array The key:value pairs to associate with the resource. |
| tags.[] Required | object A key:value pair associated with an Amazon Web Services resource. The key:value |
| pair can be anything you define. Typically, the tag key represents a category | |
| (such as “environment”) and the tag value represents a specific value within | |
| that category (such as “test,” “development,” or “production”). You can add | |
| up to 50 tags to each Amazon Web Services resource. | |
| tags.[].value Optional | string |
| vpcID Required | string The unique identifier of the VPC where Network Firewall should create the firewall. You can’t change this setting after you create the firewall. |
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
firewall:
deleteProtection: boolean
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallARN: string
firewallID: string
firewallName: string
firewallPolicyARN: string
firewallPolicyChangeProtection: boolean
subnetChangeProtection: boolean
subnetMappings:
- iPAddressType: string
subnetID: string
tags:
- key: string
value: string
vpcID: string
firewallStatus:
capacityUsageSummary:
cidrs:
availableCIDRCount: integer
iPSetReferences: {}
utilizedCIDRCount: integer
configurationSyncStateSummary: string
status: string
syncStates: {}
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| conditions Optional | array All CRS managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| firewall Optional | object The configuration settings for the firewall. These settings include the firewall policy and the subnets in your VPC to use for the firewall endpoints. |
| firewall.deleteProtection Optional | boolean |
| firewall.description Optional | string |
| firewall.encryptionConfiguration Optional | object A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html) in the Network Firewall Developer Guide. |
| firewall.encryptionConfiguration.keyID Optional | string |
| **firewall.encryptionConfiguration.type_** Optional | string |
| firewall.firewallARN Optional | string |
| firewall.firewallID Optional | string |
| firewall.firewallName Optional | string |
| firewall.firewallPolicyARN Optional | string |
| firewall.firewallPolicyChangeProtection Optional | boolean |
| firewall.subnetChangeProtection Optional | boolean |
| firewall.subnetMappings Optional | array |
| firewall.subnetMappings.[] Required | object The ID for a subnet that you want to associate with the firewall. This is |
| used with CreateFirewall and AssociateSubnets. Network Firewall creates an | |
| instance of the associated firewall in each subnet that you specify, to filter | |
| traffic in the subnet’s Availability Zone. | |
| firewall.subnetMappings.[].subnetID Optional | string |
| firewall.tags Optional | array |
| firewall.tags.[] Required | object A key:value pair associated with an Amazon Web Services resource. The key:value |
| pair can be anything you define. Typically, the tag key represents a category | |
| (such as “environment”) and the tag value represents a specific value within | |
| that category (such as “test,” “development,” or “production”). You can add | |
| up to 50 tags to each Amazon Web Services resource. | |
| firewall.tags.[].value Optional | string |
| firewall.vpcID Optional | string |
| firewallStatus Optional | object Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN. |
| firewallStatus.capacityUsageSummary Optional | object The capacity usage summary of the resources used by the ReferenceSets in a firewall. |
| firewallStatus.capacityUsageSummary.cidrs Optional | object Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing. |
| firewallStatus.capacityUsageSummary.cidrs.availableCIDRCount Optional | integer |
| firewallStatus.capacityUsageSummary.cidrs.iPSetReferences Optional | object |
| firewallStatus.capacityUsageSummary.cidrs.utilizedCIDRCount Optional | integer |
| firewallStatus.configurationSyncStateSummary Optional | string |
| firewallStatus.status Optional | string |
| firewallStatus.syncStates Optional | object |