What is the difference between stateless and stateful rule groups?

Stateless rules evaluate each packet independently based on source/destination IP, port, and protocol — they have no concept of connections or sessions. Stateful rules track the full connection state, meaning a rule allowing outbound traffic automatically permits the return traffic. Stateless rules are evaluated first by priority number, and packets that do not match any stateless rule are forwarded to stateful evaluation. Use stateless rules for simple allow/deny by IP range, and stateful rules for application-aware filtering like domain-based rules or IPS signatures.

How does capacity work for rule groups?

Each rule group has a capacity setting that determines the maximum number of rules it can contain. Stateless rules consume capacity based on the number of protocol/port/CIDR combinations. Stateful rules each consume one capacity unit for standard rules and variable amounts for Suricata rules. A firewall policy can reference multiple rule groups up to a combined maximum of 30,000 stateless and 30,000 stateful capacity units. You must set capacity at creation time and cannot reduce it later, so plan for growth.

Network Firewall Rule Builder

NetworkingAWS

Build AWS Network Firewall stateful and stateless rule group configurations.

Network Firewall Configuration

Build Network Firewall rule group configs with stateful/stateless rules and domain filtering.

Required Fields

RuleGroupNameTypeCapacityRuleGroup.RulesSource

Generated Output

Output will appear here...

About This Tool

AWS Network Firewall is a managed stateful firewall service that provides deep packet inspection, intrusion prevention, and web filtering for VPC traffic. Rules are organized into rule groups — stateless rule groups evaluate each packet independently using 5-tuple matching, while stateful rule groups track connection state and support Suricata-compatible IPS rules and domain list filtering. The Network Firewall Rule Builder helps you construct both stateless and stateful rule group configurations with proper priority ordering, action settings, and rule syntax.

When to Use This Tool

•Building stateful rules that allow outbound HTTPS traffic only to approved domains while blocking everything else
•Creating stateless rules that drop traffic from known malicious CIDR ranges before stateful inspection
•Defining Suricata-compatible IPS rules for detecting and blocking common network attack patterns
•Configuring rule groups with proper capacity units to stay within the per-firewall-policy limits

Frequently Asked Questions

What is the difference between stateless and stateful rule groups?: Stateless rules evaluate each packet independently based on source/destination IP, port, and protocol — they have no concept of connections or sessions. Stateful rules track the full connection state, meaning a rule allowing outbound traffic automatically permits the return traffic. Stateless rules are evaluated first by priority number, and packets that do not match any stateless rule are forwarded to stateful evaluation. Use stateless rules for simple allow/deny by IP range, and stateful rules for application-aware filtering like domain-based rules or IPS signatures.
How does capacity work for rule groups?: Each rule group has a capacity setting that determines the maximum number of rules it can contain. Stateless rules consume capacity based on the number of protocol/port/CIDR combinations. Stateful rules each consume one capacity unit for standard rules and variable amounts for Suricata rules. A firewall policy can reference multiple rule groups up to a combined maximum of 30,000 stateless and 30,000 stateful capacity units. You must set capacity at creation time and cannot reduce it later, so plan for growth.

Related Learning Guides

AWS Networking Deep Dive30 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.