Skip to content

Commit

Permalink
feat(client-network-firewall): AWS Network Firewall now supports conf…
Browse files Browse the repository at this point in the history
…iguring TCP idle timeout
  • Loading branch information
awstools committed Oct 30, 2024
1 parent 2c0ec7d commit bf77a24
Showing 10 changed files with 69 additions and 14 deletions.
6 changes: 2 additions & 4 deletions clients/client-network-firewall/README.md
Original file line number Diff line number Diff line change
@@ -32,9 +32,7 @@ Guide</a>.</p>
prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
perimeter of your VPC. This includes filtering traffic going to and coming from an internet
gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
with Suricata, a free, open source network analysis and threat detection engine.
Network Firewall supports Suricata version 6.0.9. For information about Suricata,
see the <a href="https://suricata.io/">Suricata website</a>.</p>
with Suricata, a free, open source network analysis and threat detection engine. </p>
<p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
The following are just a few examples: </p>
<ul>
@@ -87,7 +85,7 @@ endpoints.</p>

## Installing

To install the this package, simply type add or install @aws-sdk/client-network-firewall
To install this package, simply type add or install @aws-sdk/client-network-firewall
using your favorite package manager:

- `npm install @aws-sdk/client-network-firewall`
4 changes: 1 addition & 3 deletions clients/client-network-firewall/src/NetworkFirewall.ts
Original file line number Diff line number Diff line change
@@ -841,9 +841,7 @@ export interface NetworkFirewall {
* prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
* perimeter of your VPC. This includes filtering traffic going to and coming from an internet
* gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
* with Suricata, a free, open source network analysis and threat detection engine.
* Network Firewall supports Suricata version 6.0.9. For information about Suricata,
* see the <a href="https://suricata.io/">Suricata website</a>.</p>
* with Suricata, a free, open source network analysis and threat detection engine. </p>
* <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
* The following are just a few examples: </p>
* <ul>
4 changes: 1 addition & 3 deletions clients/client-network-firewall/src/NetworkFirewallClient.ts
Original file line number Diff line number Diff line change
@@ -449,9 +449,7 @@ export interface NetworkFirewallClientResolvedConfig extends NetworkFirewallClie
* prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
* perimeter of your VPC. This includes filtering traffic going to and coming from an internet
* gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
* with Suricata, a free, open source network analysis and threat detection engine.
* Network Firewall supports Suricata version 6.0.9. For information about Suricata,
* see the <a href="https://suricata.io/">Suricata website</a>.</p>
* with Suricata, a free, open source network analysis and threat detection engine. </p>
* <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
* The following are just a few examples: </p>
* <ul>
Original file line number Diff line number Diff line change
@@ -82,6 +82,9 @@ export interface CreateFirewallPolicyCommandOutput extends CreateFirewallPolicyR
* StatefulEngineOptions: { // StatefulEngineOptions
* RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
* StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
* FlowTimeouts: { // FlowTimeouts
* TcpIdleTimeoutSeconds: Number("int"),
* },
* },
* TLSInspectionConfigurationArn: "STRING_VALUE",
* PolicyVariables: { // PolicyVariables
Original file line number Diff line number Diff line change
@@ -106,6 +106,9 @@ export interface DescribeFirewallPolicyCommandOutput extends DescribeFirewallPol
* // StatefulEngineOptions: { // StatefulEngineOptions
* // RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
* // StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
* // FlowTimeouts: { // FlowTimeouts
* // TcpIdleTimeoutSeconds: Number("int"),
* // },
* // },
* // TLSInspectionConfigurationArn: "STRING_VALUE",
* // PolicyVariables: { // PolicyVariables
Original file line number Diff line number Diff line change
@@ -81,6 +81,9 @@ export interface UpdateFirewallPolicyCommandOutput extends UpdateFirewallPolicyR
* StatefulEngineOptions: { // StatefulEngineOptions
* RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
* StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
* FlowTimeouts: { // FlowTimeouts
* TcpIdleTimeoutSeconds: Number("int"),
* },
* },
* TLSInspectionConfigurationArn: "STRING_VALUE",
* PolicyVariables: { // PolicyVariables
4 changes: 1 addition & 3 deletions clients/client-network-firewall/src/index.ts
Original file line number Diff line number Diff line change
@@ -27,9 +27,7 @@
* prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
* perimeter of your VPC. This includes filtering traffic going to and coming from an internet
* gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
* with Suricata, a free, open source network analysis and threat detection engine.
* Network Firewall supports Suricata version 6.0.9. For information about Suricata,
* see the <a href="https://suricata.io/">Suricata website</a>.</p>
* with Suricata, a free, open source network analysis and threat detection engine. </p>
* <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
* The following are just a few examples: </p>
* <ul>
26 changes: 26 additions & 0 deletions clients/client-network-firewall/src/models/models_0.ts
Original file line number Diff line number Diff line change
@@ -1113,6 +1113,25 @@ export interface PolicyVariables {
RuleVariables?: Record<string, IPSet>;
}

/**
* <p>Describes the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle and Network Firewall removes the flow entry from its flow table.
* Existing connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.
* </p>
* @public
*/
export interface FlowTimeouts {
/**
* <p>The number of seconds that can pass without any TCP traffic sent through the firewall before the firewall determines that the connection is idle.
* After the idle timeout passes, data packets are dropped, however, the next TCP SYN packet is considered a new flow and is processed by the firewall.
* Clients or targets can use TCP keepalive packets to reset the idle timeout.
* </p>
* <p>You can define the <code>TcpIdleTimeoutSeconds</code> value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds.
* </p>
* @public
*/
TcpIdleTimeoutSeconds?: number;
}

/**
* @public
* @enum
@@ -1176,6 +1195,13 @@ export interface StatefulEngineOptions {
* @public
*/
StreamExceptionPolicy?: StreamExceptionPolicy;

/**
* <p>Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
* </p>
* @public
*/
FlowTimeouts?: FlowTimeouts;
}

/**
5 changes: 5 additions & 0 deletions clients/client-network-firewall/src/protocols/Aws_json1_0.ts
Original file line number Diff line number Diff line change
@@ -163,6 +163,7 @@ import {
EncryptionConfiguration,
FirewallPolicy,
FirewallPolicyResponse,
FlowTimeouts,
Header,
InsufficientCapacityException,
InternalServerError,
@@ -1744,6 +1745,8 @@ const se_CreateRuleGroupRequest = (input: CreateRuleGroupRequest, context: __Ser

// se_Flags omitted.

// se_FlowTimeouts omitted.

// se_Header omitted.

// se_IPSet omitted.
@@ -2113,6 +2116,8 @@ const de_FirewallPolicyResponse = (output: any, context: __SerdeContext): Firewa

// de_Flags omitted.

// de_FlowTimeouts omitted.

// de_Header omitted.

// de_InsufficientCapacityException omitted.
Loading

0 comments on commit bf77a24

Please sign in to comment.