Viewing docs for Palo Alto Networks Cloud NGFW for AWS v2.0.0
published on Friday, Apr 24, 2026 by Pulumi
published on Friday, Apr 24, 2026 by Pulumi
Viewing docs for Palo Alto Networks Cloud NGFW for AWS v2.0.0
published on Friday, Apr 24, 2026 by Pulumi
published on Friday, Apr 24, 2026 by Pulumi
Resource for NGFW manipulation.
NOTE: Having the
rulestackparam reference the rulestack name fromcloudngfwaws.CommitRulestackensures that Terraform will only try to spin up a NGFW instance if the commit is successful.
Admin Permission Type
Firewall
Configuration Guide
V1 Schema — Existing Deployments Only
Important: V1 schema is for existing customers who already have firewalls deployed with Terraform. New firewalls must be created using the V2 schema.
1. Managing an Existing Firewall (no configuration changes)
Use the V1 schema as-is. No steps required beyond ensuring your existing state is in sync.
Steps:
- Verify there is no unintended drift: 2. If the plan is clean, no action needed. If drift is detected, review and apply:
Full example — existing V1 firewall:
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const rs = new cloudngfwaws.CommitRulestack("rs", {rulestack: "my-rulestack"});
const example = new cloudngfwaws.Ngfw("example", {
name: "example-instance",
vpcId: exampleAwsVpc.id,
accountId: "111111111111",
description: "Example description",
endpointMode: "ServiceManaged",
subnetMappings: [
{
subnetId: subnet1.id,
},
{
subnetId: subnet2.id,
},
],
rulestack: rs.rulestack,
tags: {
Foo: "bar",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
rs = cloudngfwaws.CommitRulestack("rs", rulestack="my-rulestack")
example = cloudngfwaws.Ngfw("example",
name="example-instance",
vpc_id=example_aws_vpc["id"],
account_id="111111111111",
description="Example description",
endpoint_mode="ServiceManaged",
subnet_mappings=[
{
"subnet_id": subnet1["id"],
},
{
"subnet_id": subnet2["id"],
},
],
rulestack=rs.rulestack,
tags={
"Foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
rs, err := cloudngfwaws.NewCommitRulestack(ctx, "rs", &cloudngfwaws.CommitRulestackArgs{
Rulestack: pulumi.String("my-rulestack"),
})
if err != nil {
return err
}
_, err = cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("example-instance"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
AccountId: pulumi.String("111111111111"),
Description: pulumi.String("Example description"),
EndpointMode: pulumi.String("ServiceManaged"),
SubnetMappings: cloudngfwaws.NgfwSubnetMappingArray{
&cloudngfwaws.NgfwSubnetMappingArgs{
SubnetId: pulumi.Any(subnet1.Id),
},
&cloudngfwaws.NgfwSubnetMappingArgs{
SubnetId: pulumi.Any(subnet2.Id),
},
},
Rulestack: rs.Rulestack,
Tags: pulumi.StringMap{
"Foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var rs = new CloudNgfwAws.Index.CommitRulestack("rs", new()
{
Rulestack = "my-rulestack",
});
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "example-instance",
VpcId = exampleAwsVpc.Id,
AccountId = "111111111111",
Description = "Example description",
EndpointMode = "ServiceManaged",
SubnetMappings = new[]
{
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
SubnetId = subnet1.Id,
},
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
SubnetId = subnet2.Id,
},
},
Rulestack = rs.Rulestack,
Tags =
{
{ "Foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.CommitRulestack;
import com.pulumi.cloudngfwaws.CommitRulestackArgs;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwSubnetMappingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var rs = new CommitRulestack("rs", CommitRulestackArgs.builder()
.rulestack("my-rulestack")
.build());
var example = new Ngfw("example", NgfwArgs.builder()
.name("example-instance")
.vpcId(exampleAwsVpc.id())
.accountId("111111111111")
.description("Example description")
.endpointMode("ServiceManaged")
.subnetMappings(
NgfwSubnetMappingArgs.builder()
.subnetId(subnet1.id())
.build(),
NgfwSubnetMappingArgs.builder()
.subnetId(subnet2.id())
.build())
.rulestack(rs.rulestack())
.tags(Map.of("Foo", "bar"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: example-instance
vpcId: ${exampleAwsVpc.id}
accountId: '111111111111'
description: Example description
endpointMode: ServiceManaged
subnetMappings:
- subnetId: ${subnet1.id}
- subnetId: ${subnet2.id}
rulestack: ${rs.rulestack}
tags:
Foo: bar
rs:
type: cloudngfwaws:CommitRulestack
properties:
rulestack: my-rulestack
2. Configuring Egress NAT on an Existing Firewall (V1)
Egress NAT can be added to an existing V1 firewall without recreating the resource.
ipPoolTypeacceptsAWSServiceorBYOIP. UseBYOIPtogether withipamPoolIdif bringing your own IP pool.
Steps:
- Add the
egressNatblock to your existing resource.
Full example — existing V1 firewall with Egress NAT enabled:
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "example-instance",
vpcId: "vpc-0a1b2c3d4e5f00001",
accountId: "111111111111",
description: "Example description",
endpointMode: "CustomerManaged",
subnetMappings: [
{
availabilityZone: "us-east-1a",
},
{
availabilityZone: "us-east-1c",
},
],
rulestack: "my-rulestack",
egressNats: [{
enabled: true,
settings: [{
ipPoolType: "AWSService",
}],
}],
tags: {
Foo: "bar",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
example = cloudngfwaws.Ngfw("example",
name="example-instance",
vpc_id="vpc-0a1b2c3d4e5f00001",
account_id="111111111111",
description="Example description",
endpoint_mode="CustomerManaged",
subnet_mappings=[
{
"availability_zone": "us-east-1a",
},
{
"availability_zone": "us-east-1c",
},
],
rulestack="my-rulestack",
egress_nats=[{
"enabled": True,
"settings": [{
"ip_pool_type": "AWSService",
}],
}],
tags={
"Foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("example-instance"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00001"),
AccountId: pulumi.String("111111111111"),
Description: pulumi.String("Example description"),
EndpointMode: pulumi.String("CustomerManaged"),
SubnetMappings: cloudngfwaws.NgfwSubnetMappingArray{
&cloudngfwaws.NgfwSubnetMappingArgs{
AvailabilityZone: pulumi.String("us-east-1a"),
},
&cloudngfwaws.NgfwSubnetMappingArgs{
AvailabilityZone: pulumi.String("us-east-1c"),
},
},
Rulestack: pulumi.String("my-rulestack"),
EgressNats: cloudngfwaws.NgfwEgressNatArray{
&cloudngfwaws.NgfwEgressNatArgs{
Enabled: pulumi.Bool(true),
Settings: cloudngfwaws.NgfwEgressNatSettingArray{
&cloudngfwaws.NgfwEgressNatSettingArgs{
IpPoolType: pulumi.String("AWSService"),
},
},
},
},
Tags: pulumi.StringMap{
"Foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "example-instance",
VpcId = "vpc-0a1b2c3d4e5f00001",
AccountId = "111111111111",
Description = "Example description",
EndpointMode = "CustomerManaged",
SubnetMappings = new[]
{
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
AvailabilityZone = "us-east-1a",
},
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
AvailabilityZone = "us-east-1c",
},
},
Rulestack = "my-rulestack",
EgressNats = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatArgs
{
Enabled = true,
Settings = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatSettingArgs
{
IpPoolType = "AWSService",
},
},
},
},
Tags =
{
{ "Foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwSubnetMappingArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwEgressNatArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Ngfw("example", NgfwArgs.builder()
.name("example-instance")
.vpcId("vpc-0a1b2c3d4e5f00001")
.accountId("111111111111")
.description("Example description")
.endpointMode("CustomerManaged")
.subnetMappings(
NgfwSubnetMappingArgs.builder()
.availabilityZone("us-east-1a")
.build(),
NgfwSubnetMappingArgs.builder()
.availabilityZone("us-east-1c")
.build())
.rulestack("my-rulestack")
.egressNats(NgfwEgressNatArgs.builder()
.enabled(true)
.settings(NgfwEgressNatSettingArgs.builder()
.ipPoolType("AWSService")
.build())
.build())
.tags(Map.of("Foo", "bar"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: example-instance
vpcId: vpc-0a1b2c3d4e5f00001
accountId: '111111111111'
description: Example description
endpointMode: CustomerManaged
subnetMappings:
- availabilityZone: us-east-1a
- availabilityZone: us-east-1c
rulestack: my-rulestack
egressNats:
- enabled: true
settings:
- ipPoolType: AWSService
tags:
Foo: bar
To disable Egress NAT: set enabled = false and re-apply.
3. Configuring Security Zones on an Existing Firewall (V1)
Security zones let you enable or disable Egress NAT per endpoint and add or remove private CIDR prefixes.
Prerequisite: Endpoints must be successfully created and in
ACCEPTEDstate before security zones can be configured. Checkstatus.attachment[*].statusin Terraform state or the AWS console before proceeding.
Steps:
- Confirm endpoint status is
ACCEPTED:terraform show | grep -A 10 "attachment"
2. Copy the `endpointId` value from the `status.attachment` output.
3. Add the `securityZones` block to your existing resource referencing that endpoint ID.
**Full example — existing V1 firewall with Egress NAT and security zones:**
<div>
<pulumi-chooser type="language" options="csharp,go,typescript,python,yaml,java"></pulumi-chooser>
</div>
<div>
<pulumi-choosable type="language" values="javascript,typescript">
```typescript
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "example-instance",
vpcId: "vpc-0a1b2c3d4e5f00001",
accountId: "111111111111",
description: "Example description",
endpointMode: "CustomerManaged",
subnetMappings: [
{
availabilityZone: "us-east-1a",
},
{
availabilityZone: "us-east-1c",
},
],
rulestack: "my-rulestack",
egressNats: [{
enabled: true,
settings: [{
ipPoolType: "AWSService",
}],
}],
securityZones: [{
endpointId: "vpce-0a1b2c3d4e5f00001",
egressNatEnabled: true,
prefixes: [{
privatePrefixes: [{
cidrs: [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
],
}],
}],
}],
tags: {
Foo: "bar",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
example = cloudngfwaws.Ngfw("example",
name="example-instance",
vpc_id="vpc-0a1b2c3d4e5f00001",
account_id="111111111111",
description="Example description",
endpoint_mode="CustomerManaged",
subnet_mappings=[
{
"availability_zone": "us-east-1a",
},
{
"availability_zone": "us-east-1c",
},
],
rulestack="my-rulestack",
egress_nats=[{
"enabled": True,
"settings": [{
"ip_pool_type": "AWSService",
}],
}],
security_zones=[{
"endpoint_id": "vpce-0a1b2c3d4e5f00001",
"egress_nat_enabled": True,
"prefixes": [{
"private_prefixes": [{
"cidrs": [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
],
}],
}],
}],
tags={
"Foo": "bar",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("example-instance"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00001"),
AccountId: pulumi.String("111111111111"),
Description: pulumi.String("Example description"),
EndpointMode: pulumi.String("CustomerManaged"),
SubnetMappings: cloudngfwaws.NgfwSubnetMappingArray{
&cloudngfwaws.NgfwSubnetMappingArgs{
AvailabilityZone: pulumi.String("us-east-1a"),
},
&cloudngfwaws.NgfwSubnetMappingArgs{
AvailabilityZone: pulumi.String("us-east-1c"),
},
},
Rulestack: pulumi.String("my-rulestack"),
EgressNats: cloudngfwaws.NgfwEgressNatArray{
&cloudngfwaws.NgfwEgressNatArgs{
Enabled: pulumi.Bool(true),
Settings: cloudngfwaws.NgfwEgressNatSettingArray{
&cloudngfwaws.NgfwEgressNatSettingArgs{
IpPoolType: pulumi.String("AWSService"),
},
},
},
},
SecurityZones: cloudngfwaws.NgfwSecurityZoneArray{
&cloudngfwaws.NgfwSecurityZoneArgs{
EndpointId: pulumi.String("vpce-0a1b2c3d4e5f00001"),
EgressNatEnabled: pulumi.Bool(true),
Prefixes: cloudngfwaws.NgfwSecurityZonePrefixArray{
&cloudngfwaws.NgfwSecurityZonePrefixArgs{
PrivatePrefixes: cloudngfwaws.NgfwSecurityZonePrefixPrivatePrefixArray{
&cloudngfwaws.NgfwSecurityZonePrefixPrivatePrefixArgs{
Cidrs: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
pulumi.String("172.16.0.0/12"),
pulumi.String("192.168.0.0/16"),
pulumi.String("100.64.0.0/10"),
},
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Foo": pulumi.String("bar"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "example-instance",
VpcId = "vpc-0a1b2c3d4e5f00001",
AccountId = "111111111111",
Description = "Example description",
EndpointMode = "CustomerManaged",
SubnetMappings = new[]
{
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
AvailabilityZone = "us-east-1a",
},
new CloudNgfwAws.Inputs.NgfwSubnetMappingArgs
{
AvailabilityZone = "us-east-1c",
},
},
Rulestack = "my-rulestack",
EgressNats = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatArgs
{
Enabled = true,
Settings = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatSettingArgs
{
IpPoolType = "AWSService",
},
},
},
},
SecurityZones = new[]
{
new CloudNgfwAws.Inputs.NgfwSecurityZoneArgs
{
EndpointId = "vpce-0a1b2c3d4e5f00001",
EgressNatEnabled = true,
Prefixes = new[]
{
new CloudNgfwAws.Inputs.NgfwSecurityZonePrefixArgs
{
PrivatePrefixes = new[]
{
new CloudNgfwAws.Inputs.NgfwSecurityZonePrefixPrivatePrefixArgs
{
Cidrs = new[]
{
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
},
},
},
},
},
},
},
Tags =
{
{ "Foo", "bar" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwSubnetMappingArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwEgressNatArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwSecurityZoneArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Ngfw("example", NgfwArgs.builder()
.name("example-instance")
.vpcId("vpc-0a1b2c3d4e5f00001")
.accountId("111111111111")
.description("Example description")
.endpointMode("CustomerManaged")
.subnetMappings(
NgfwSubnetMappingArgs.builder()
.availabilityZone("us-east-1a")
.build(),
NgfwSubnetMappingArgs.builder()
.availabilityZone("us-east-1c")
.build())
.rulestack("my-rulestack")
.egressNats(NgfwEgressNatArgs.builder()
.enabled(true)
.settings(NgfwEgressNatSettingArgs.builder()
.ipPoolType("AWSService")
.build())
.build())
.securityZones(NgfwSecurityZoneArgs.builder()
.endpointId("vpce-0a1b2c3d4e5f00001")
.egressNatEnabled(true)
.prefixes(NgfwSecurityZonePrefixArgs.builder()
.privatePrefixes(NgfwSecurityZonePrefixPrivatePrefixArgs.builder()
.cidrs(
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10")
.build())
.build())
.build())
.tags(Map.of("Foo", "bar"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: example-instance
vpcId: vpc-0a1b2c3d4e5f00001
accountId: '111111111111'
description: Example description
endpointMode: CustomerManaged
subnetMappings:
- availabilityZone: us-east-1a
- availabilityZone: us-east-1c
rulestack: my-rulestack
egressNats:
- enabled: true
settings:
- ipPoolType: AWSService
securityZones:
- endpointId: vpce-0a1b2c3d4e5f00001
egressNatEnabled: true
prefixes:
- privatePrefixes:
- cidrs:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
tags:
Foo: bar
To remove private prefixes: remove the CIDR entries from cidrs and re-apply.
To disable Egress NAT for a specific zone: set egressNatEnabled = false and re-apply.
V2 Schema — New Firewalls
Important: New firewalls can only be created using the V2 schema. Use
azListinstead ofsubnetMapping, andendpointsinstead ofendpointMode/subnetMapping.
1. Creating a New Firewall (V2)
Firewall creation uses azList to specify availability zones.
Do not include endpoints during creation — they must be added in a separate update after the firewall is running.
Steps:
- Define the resource with
azListand noendpointsblock. - Proceed to Step 2 once the firewall reaches
RUNNINGstate.
Full example — new V2 firewall (creation only):
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "my-firewall",
description: "My new firewall",
azLists: [
"use1-az1",
"use1-az4",
],
allowlistAccounts: ["111111111111"],
tags: {
Owner: "my-team",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
example = cloudngfwaws.Ngfw("example",
name="my-firewall",
description="My new firewall",
az_lists=[
"use1-az1",
"use1-az4",
],
allowlist_accounts=["111111111111"],
tags={
"Owner": "my-team",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("my-firewall"),
Description: pulumi.String("My new firewall"),
AzLists: pulumi.StringArray{
pulumi.String("use1-az1"),
pulumi.String("use1-az4"),
},
AllowlistAccounts: pulumi.StringArray{
pulumi.String("111111111111"),
},
Tags: pulumi.StringMap{
"Owner": pulumi.String("my-team"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "my-firewall",
Description = "My new firewall",
AzLists = new[]
{
"use1-az1",
"use1-az4",
},
AllowlistAccounts = new[]
{
"111111111111",
},
Tags =
{
{ "Owner", "my-team" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Ngfw("example", NgfwArgs.builder()
.name("my-firewall")
.description("My new firewall")
.azLists(
"use1-az1",
"use1-az4")
.allowlistAccounts("111111111111")
.tags(Map.of("Owner", "my-team"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: my-firewall
description: My new firewall
azLists:
- use1-az1
- use1-az4
allowlistAccounts:
- '111111111111'
tags:
Owner: my-team
2. Adding Endpoints to a V2 Firewall
Endpoints connect the firewall to customer VPCs. They must be added in a separate a separate update after the firewall is running.
Steps:
- Confirm the firewall status is
RUNNING:terraform show | grep firewall_status
2. Add one or more `endpoints` blocks to the existing resource.
5. Wait for each endpoint's `status` to reach `ACCEPTED` before proceeding to configure
Egress NAT or private prefixes:
```shell
terraform show | grep -A 10 "endpoints"
Full example — V2 firewall with endpoints added:
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "my-firewall",
description: "My new firewall",
azLists: [
"use1-az1",
"use1-az4",
],
allowlistAccounts: ["111111111111"],
endpoints: [
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00002",
subnetId: "subnet-0a1b2c3d4e5f00001",
mode: "ServiceManaged",
},
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00003",
subnetId: "subnet-0a1b2c3d4e5f00002",
mode: "ServiceManaged",
},
],
tags: {
Owner: "my-team",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
example = cloudngfwaws.Ngfw("example",
name="my-firewall",
description="My new firewall",
az_lists=[
"use1-az1",
"use1-az4",
],
allowlist_accounts=["111111111111"],
endpoints=[
{
"account_id": "111111111111",
"vpc_id": "vpc-0a1b2c3d4e5f00002",
"subnet_id": "subnet-0a1b2c3d4e5f00001",
"mode": "ServiceManaged",
},
{
"account_id": "111111111111",
"vpc_id": "vpc-0a1b2c3d4e5f00003",
"subnet_id": "subnet-0a1b2c3d4e5f00002",
"mode": "ServiceManaged",
},
],
tags={
"Owner": "my-team",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("my-firewall"),
Description: pulumi.String("My new firewall"),
AzLists: pulumi.StringArray{
pulumi.String("use1-az1"),
pulumi.String("use1-az4"),
},
AllowlistAccounts: pulumi.StringArray{
pulumi.String("111111111111"),
},
Endpoints: cloudngfwaws.NgfwEndpointArray{
&cloudngfwaws.NgfwEndpointArgs{
AccountId: pulumi.String("111111111111"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00002"),
SubnetId: pulumi.String("subnet-0a1b2c3d4e5f00001"),
Mode: pulumi.String("ServiceManaged"),
},
&cloudngfwaws.NgfwEndpointArgs{
AccountId: pulumi.String("111111111111"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00003"),
SubnetId: pulumi.String("subnet-0a1b2c3d4e5f00002"),
Mode: pulumi.String("ServiceManaged"),
},
},
Tags: pulumi.StringMap{
"Owner": pulumi.String("my-team"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "my-firewall",
Description = "My new firewall",
AzLists = new[]
{
"use1-az1",
"use1-az4",
},
AllowlistAccounts = new[]
{
"111111111111",
},
Endpoints = new[]
{
new CloudNgfwAws.Inputs.NgfwEndpointArgs
{
AccountId = "111111111111",
VpcId = "vpc-0a1b2c3d4e5f00002",
SubnetId = "subnet-0a1b2c3d4e5f00001",
Mode = "ServiceManaged",
},
new CloudNgfwAws.Inputs.NgfwEndpointArgs
{
AccountId = "111111111111",
VpcId = "vpc-0a1b2c3d4e5f00003",
SubnetId = "subnet-0a1b2c3d4e5f00002",
Mode = "ServiceManaged",
},
},
Tags =
{
{ "Owner", "my-team" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwEndpointArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Ngfw("example", NgfwArgs.builder()
.name("my-firewall")
.description("My new firewall")
.azLists(
"use1-az1",
"use1-az4")
.allowlistAccounts("111111111111")
.endpoints(
NgfwEndpointArgs.builder()
.accountId("111111111111")
.vpcId("vpc-0a1b2c3d4e5f00002")
.subnetId("subnet-0a1b2c3d4e5f00001")
.mode("ServiceManaged")
.build(),
NgfwEndpointArgs.builder()
.accountId("111111111111")
.vpcId("vpc-0a1b2c3d4e5f00003")
.subnetId("subnet-0a1b2c3d4e5f00002")
.mode("ServiceManaged")
.build())
.tags(Map.of("Owner", "my-team"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: my-firewall
description: My new firewall
azLists:
- use1-az1
- use1-az4
allowlistAccounts:
- '111111111111'
endpoints:
- accountId: '111111111111'
vpcId: vpc-0a1b2c3d4e5f00002
subnetId: subnet-0a1b2c3d4e5f00001
mode: ServiceManaged
- accountId: '111111111111'
vpcId: vpc-0a1b2c3d4e5f00003
subnetId: subnet-0a1b2c3d4e5f00002
mode: ServiceManaged
tags:
Owner: my-team
3. Configuring Egress NAT on a V2 Firewall
Egress NAT can be enabled at the firewall level once at least one endpoint is accepted.
Prerequisite: At least one endpoint must be in
ACCEPTEDstate.
Steps:
- Add the
egressNatblock to the resource.
Full example — V2 firewall with Egress NAT enabled:
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "my-firewall",
description: "My new firewall",
azLists: [
"use1-az1",
"use1-az4",
],
allowlistAccounts: ["111111111111"],
endpoints: [
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00002",
subnetId: "subnet-0a1b2c3d4e5f00001",
mode: "ServiceManaged",
},
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00003",
subnetId: "subnet-0a1b2c3d4e5f00002",
mode: "ServiceManaged",
},
],
egressNats: [{
enabled: true,
settings: [{
ipPoolType: "AWSService",
}],
}],
tags: {
Owner: "my-team",
},
});
import pulumi
import pulumi_cloudngfwaws as cloudngfwaws
example = cloudngfwaws.Ngfw("example",
name="my-firewall",
description="My new firewall",
az_lists=[
"use1-az1",
"use1-az4",
],
allowlist_accounts=["111111111111"],
endpoints=[
{
"account_id": "111111111111",
"vpc_id": "vpc-0a1b2c3d4e5f00002",
"subnet_id": "subnet-0a1b2c3d4e5f00001",
"mode": "ServiceManaged",
},
{
"account_id": "111111111111",
"vpc_id": "vpc-0a1b2c3d4e5f00003",
"subnet_id": "subnet-0a1b2c3d4e5f00002",
"mode": "ServiceManaged",
},
],
egress_nats=[{
"enabled": True,
"settings": [{
"ip_pool_type": "AWSService",
}],
}],
tags={
"Owner": "my-team",
})
package main
import (
"github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudngfwaws.NewNgfw(ctx, "example", &cloudngfwaws.NgfwArgs{
Name: pulumi.String("my-firewall"),
Description: pulumi.String("My new firewall"),
AzLists: pulumi.StringArray{
pulumi.String("use1-az1"),
pulumi.String("use1-az4"),
},
AllowlistAccounts: pulumi.StringArray{
pulumi.String("111111111111"),
},
Endpoints: cloudngfwaws.NgfwEndpointArray{
&cloudngfwaws.NgfwEndpointArgs{
AccountId: pulumi.String("111111111111"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00002"),
SubnetId: pulumi.String("subnet-0a1b2c3d4e5f00001"),
Mode: pulumi.String("ServiceManaged"),
},
&cloudngfwaws.NgfwEndpointArgs{
AccountId: pulumi.String("111111111111"),
VpcId: pulumi.String("vpc-0a1b2c3d4e5f00003"),
SubnetId: pulumi.String("subnet-0a1b2c3d4e5f00002"),
Mode: pulumi.String("ServiceManaged"),
},
},
EgressNats: cloudngfwaws.NgfwEgressNatArray{
&cloudngfwaws.NgfwEgressNatArgs{
Enabled: pulumi.Bool(true),
Settings: cloudngfwaws.NgfwEgressNatSettingArray{
&cloudngfwaws.NgfwEgressNatSettingArgs{
IpPoolType: pulumi.String("AWSService"),
},
},
},
},
Tags: pulumi.StringMap{
"Owner": pulumi.String("my-team"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using CloudNgfwAws = Pulumi.CloudNgfwAws;
return await Deployment.RunAsync(() =>
{
var example = new CloudNgfwAws.Index.Ngfw("example", new()
{
Name = "my-firewall",
Description = "My new firewall",
AzLists = new[]
{
"use1-az1",
"use1-az4",
},
AllowlistAccounts = new[]
{
"111111111111",
},
Endpoints = new[]
{
new CloudNgfwAws.Inputs.NgfwEndpointArgs
{
AccountId = "111111111111",
VpcId = "vpc-0a1b2c3d4e5f00002",
SubnetId = "subnet-0a1b2c3d4e5f00001",
Mode = "ServiceManaged",
},
new CloudNgfwAws.Inputs.NgfwEndpointArgs
{
AccountId = "111111111111",
VpcId = "vpc-0a1b2c3d4e5f00003",
SubnetId = "subnet-0a1b2c3d4e5f00002",
Mode = "ServiceManaged",
},
},
EgressNats = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatArgs
{
Enabled = true,
Settings = new[]
{
new CloudNgfwAws.Inputs.NgfwEgressNatSettingArgs
{
IpPoolType = "AWSService",
},
},
},
},
Tags =
{
{ "Owner", "my-team" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.cloudngfwaws.Ngfw;
import com.pulumi.cloudngfwaws.NgfwArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwEndpointArgs;
import com.pulumi.cloudngfwaws.inputs.NgfwEgressNatArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Ngfw("example", NgfwArgs.builder()
.name("my-firewall")
.description("My new firewall")
.azLists(
"use1-az1",
"use1-az4")
.allowlistAccounts("111111111111")
.endpoints(
NgfwEndpointArgs.builder()
.accountId("111111111111")
.vpcId("vpc-0a1b2c3d4e5f00002")
.subnetId("subnet-0a1b2c3d4e5f00001")
.mode("ServiceManaged")
.build(),
NgfwEndpointArgs.builder()
.accountId("111111111111")
.vpcId("vpc-0a1b2c3d4e5f00003")
.subnetId("subnet-0a1b2c3d4e5f00002")
.mode("ServiceManaged")
.build())
.egressNats(NgfwEgressNatArgs.builder()
.enabled(true)
.settings(NgfwEgressNatSettingArgs.builder()
.ipPoolType("AWSService")
.build())
.build())
.tags(Map.of("Owner", "my-team"))
.build());
}
}
resources:
example:
type: cloudngfwaws:Ngfw
properties:
name: my-firewall
description: My new firewall
azLists:
- use1-az1
- use1-az4
allowlistAccounts:
- '111111111111'
endpoints:
- accountId: '111111111111'
vpcId: vpc-0a1b2c3d4e5f00002
subnetId: subnet-0a1b2c3d4e5f00001
mode: ServiceManaged
- accountId: '111111111111'
vpcId: vpc-0a1b2c3d4e5f00003
subnetId: subnet-0a1b2c3d4e5f00002
mode: ServiceManaged
egressNats:
- enabled: true
settings:
- ipPoolType: AWSService
tags:
Owner: my-team
To disable Egress NAT: set enabled = false and re-apply.
4. Configuring Private Prefixes and Per-Endpoint Egress NAT (V2)
Once an endpoint is accepted, you can enable or disable Egress NAT and configure private
CIDR prefixes on a per-endpoint basis within the endpoints block.
Prerequisite: The endpoint must be in
ACCEPTEDstate. TheendpointIdis a read-only computed value — retrieve it from Terraform state after apply:terraform show | grep -A 15 "endpoints"
**Steps:**
1. Update the relevant `endpoints` block with `egressNatEnabled` and `prefixes`.
The `endpointId` field is read-only and is populated automatically by the provider
once the endpoint is accepted — do not set it manually.
**Full example — V2 firewall with per-endpoint Egress NAT and private prefixes:**
<div>
<pulumi-chooser type="language" options="csharp,go,typescript,python,yaml,java"></pulumi-chooser>
</div>
<div>
<pulumi-choosable type="language" values="javascript,typescript">
```typescript
import * as pulumi from "@pulumi/pulumi";
import * as cloudngfwaws from "@pulumi/cloudngfwaws";
const example = new cloudngfwaws.Ngfw("example", {
name: "my-firewall",
description: "My new firewall",
azLists: [
"use1-az1",
"use1-az4",
],
allowlistAccounts: ["111111111111"],
endpoints: [
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00002",
subnetId: "subnet-0a1b2c3d4e5f00001",
mode: "ServiceManaged",
egressNatEnabled: true,
prefixes: [{
privatePrefixes: [{
cidrs: [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
],
}],
}],
},
{
accountId: "111111111111",
vpcId: "vpc-0a1b2c3d4e5f00003",
subnetId: "subnet-0a1b2c3d4e5f00002",
mode: "ServiceManaged",
egressNatEnabled: false,
},
],
egressNats: [{
enabled: true,
settings: [{
ipPoolType: "AWSService",
}],
}],
tags: {
Owner: "my-team",
},
});
