The aws:networkfirewall/tlsInspectionConfiguration:TlsInspectionConfiguration resource, part of the Pulumi AWS provider, defines TLS inspection configurations that decrypt and inspect encrypted traffic flowing through Network Firewall. This guide focuses on four capabilities: inbound inspection with server certificates, outbound inspection with certificate authorities, customer-managed KMS encryption, and bidirectional inspection.
Inspection configurations require ACM certificates for inbound traffic and ACM Private CA for outbound traffic. You must configure at least one direction. The examples are intentionally small. Combine them with your own firewall policies and certificate infrastructure.
Inspect inbound TLS traffic with server certificates
Network Firewall can decrypt and inspect inbound TLS connections to protect internal services from encrypted threats.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
serverCertificates: [{
resourceArn: example1.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"server_certificates": [{
"resource_arn": example1["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example1.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example1.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example1.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
serverCertificates:
- resourceArn: ${example1.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
For inbound inspection, Network Firewall needs server certificates that match the domains you’re protecting. The serverCertificates property references ACM certificates. The scopes property defines which traffic to inspect: protocol 6 (TCP), port 443 (HTTPS), and address ranges. Network Firewall decrypts matching connections, inspects the payload, then re-encrypts before forwarding.
Inspect outbound TLS traffic with certificate authority
Outbound inspection requires a certificate authority to generate certificates for man-in-the-middle decryption.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
certificateAuthorityArn: example1.arn,
checkCertificateRevocationStatus: {
revokedStatusAction: "REJECT",
unknownStatusAction: "PASS",
},
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"certificate_authority_arn": example1["arn"],
"check_certificate_revocation_status": {
"revoked_status_action": "REJECT",
"unknown_status_action": "PASS",
},
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
CertificateAuthorityArn: pulumi.Any(example1.Arn),
CheckCertificateRevocationStatus: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs{
RevokedStatusAction: pulumi.String("REJECT"),
UnknownStatusAction: pulumi.String("PASS"),
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
CertificateAuthorityArn = example1.Arn,
CheckCertificateRevocationStatus = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs
{
RevokedStatusAction = "REJECT",
UnknownStatusAction = "PASS",
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.certificateAuthorityArn(example1.arn())
.checkCertificateRevocationStatus(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs.builder()
.revokedStatusAction("REJECT")
.unknownStatusAction("PASS")
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
certificateAuthorityArn: ${example1.arn}
checkCertificateRevocationStatus:
revokedStatusAction: REJECT
unknownStatusAction: PASS
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
The certificateAuthorityArn points to an ACM Private CA that Network Firewall uses to generate certificates on the fly. When clients connect to external sites, Network Firewall presents these generated certificates. The checkCertificateRevocationStatus property controls how Network Firewall handles revoked or unknown certificate status: REJECT blocks revoked certificates, PASS allows connections with unknown status.
Encrypt inspection data with customer-managed KMS keys
Organizations with compliance requirements often need to control encryption keys for inspection data.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "example",
deletionWindowInDays: 7,
});
const exampleTlsInspectionConfiguration = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: example.arn,
type: "CUSTOMER_KMS",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
serverCertificates: [{
resourceArn: example1.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="example",
deletion_window_in_days=7)
example_tls_inspection_configuration = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": example.arn,
"type": "CUSTOMER_KMS",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"server_certificates": [{
"resource_arn": example1["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("example"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: example.Arn,
Type: pulumi.String("CUSTOMER_KMS"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example1.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "example",
DeletionWindowInDays = 7,
});
var exampleTlsInspectionConfiguration = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = example.Arn,
Type = "CUSTOMER_KMS",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example1.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("example")
.deletionWindowInDays(7)
.build());
var exampleTlsInspectionConfiguration = new TlsInspectionConfiguration("exampleTlsInspectionConfiguration", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId(example.arn())
.type("CUSTOMER_KMS")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example1.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: example
deletionWindowInDays: 7
exampleTlsInspectionConfiguration:
type: aws:networkfirewall:TlsInspectionConfiguration
name: example
properties:
name: example
description: example
encryptionConfigurations:
- keyId: ${example.arn}
type: CUSTOMER_KMS
tlsInspectionConfiguration:
serverCertificateConfiguration:
serverCertificates:
- resourceArn: ${example1.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
The encryptionConfigurations property switches from AWS-managed keys to customer-managed KMS keys. Set type to CUSTOMER_KMS and provide your KMS key ARN. This gives you audit trails and key rotation control for inspection configuration data.
Inspect both inbound and outbound traffic
Most deployments need bidirectional inspection to protect internal services and monitor outbound connections.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
certificateAuthorityArn: example1.arn,
checkCertificateRevocationStatus: {
revokedStatusAction: "REJECT",
unknownStatusAction: "PASS",
},
serverCertificates: [{
resourceArn: example2.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"certificate_authority_arn": example1["arn"],
"check_certificate_revocation_status": {
"revoked_status_action": "REJECT",
"unknown_status_action": "PASS",
},
"server_certificates": [{
"resource_arn": example2["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
CertificateAuthorityArn: pulumi.Any(example1.Arn),
CheckCertificateRevocationStatus: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs{
RevokedStatusAction: pulumi.String("REJECT"),
UnknownStatusAction: pulumi.String("PASS"),
},
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example2.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
CertificateAuthorityArn = example1.Arn,
CheckCertificateRevocationStatus = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs
{
RevokedStatusAction = "REJECT",
UnknownStatusAction = "PASS",
},
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example2.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.certificateAuthorityArn(example1.arn())
.checkCertificateRevocationStatus(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs.builder()
.revokedStatusAction("REJECT")
.unknownStatusAction("PASS")
.build())
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example2.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
certificateAuthorityArn: ${example1.arn}
checkCertificateRevocationStatus:
revokedStatusAction: REJECT
unknownStatusAction: PASS
serverCertificates:
- resourceArn: ${example2.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
A single configuration can handle both directions by including both serverCertificates (for inbound) and certificateAuthorityArn (for outbound). Network Firewall applies the appropriate inspection method based on traffic direction. The scopes property applies to both directions, defining which connections to decrypt.
Beyond these examples
These snippets focus on specific TLS inspection features: inbound and outbound TLS inspection, customer-managed KMS encryption, and certificate revocation checking. They’re intentionally minimal rather than full firewall deployments.
The examples require pre-existing infrastructure such as ACM certificates for inbound inspection, ACM Private CA for outbound inspection, and KMS keys for customer-managed encryption. They focus on inspection configuration rather than provisioning certificates or firewall policies.
To keep things focused, common inspection patterns are omitted, including:
- Scope refinement (specific IP ranges, ports, protocols)
- Multiple certificate configurations
- Integration with firewall policies
- Certificate rotation and renewal
These omissions are intentional: the goal is to illustrate how each inspection feature is wired, not provide drop-in firewall modules. See the TLS Inspection Configuration resource reference for all available configuration options.
Let's configure AWS Network Firewall TLS Inspection
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration Requirements
What inspection directions must I configure?
You must configure at least one direction: inbound inspection, outbound inspection, or both. Configure
serverCertificates for inbound, certificateAuthorityArn for outbound, or both for bidirectional inspection.Inspection Directions
What's the difference between inbound and outbound TLS inspection?
Inbound inspection uses
serverCertificates with an ACM certificate ARN for ingress traffic. Outbound inspection uses certificateAuthorityArn with optional certificate revocation checking for egress traffic.Can I inspect both inbound and outbound traffic in the same configuration?
Yes, configure both
serverCertificates and certificateAuthorityArn within the same serverCertificateConfiguration block.Encryption & Security
What encryption options are available for TLS inspection configurations?
Two options:
AWS_OWNED_KMS_KEY for AWS-managed encryption, or CUSTOMER_KMS to use your own KMS key.How do I use my own KMS key for encryption?
Set
encryptionConfigurations with type: "CUSTOMER_KMS" and keyId pointing to your KMS key ARN.What does checkCertificateRevocationStatus do?
It configures how Network Firewall handles certificate revocation checks for outbound inspection. You can set actions for revoked certificates (
revokedStatusAction) and certificates with unknown status (unknownStatusAction).What are the available actions for certificate revocation status?
For
revokedStatusAction, you can use REJECT to block revoked certificates. For unknownStatusAction, you can use PASS to allow traffic when revocation status can’t be determined.