What is the difference between stateless and stateful rule groups?

Stateless rules evaluate each packet independently based on source/destination IP, port, and protocol — they have no concept of connections or sessions. Stateful rules track the full connection state, meaning a rule allowing outbound traffic automatically permits the return traffic. Stateless rules are evaluated first by priority number, and packets that do not match any stateless rule are forwarded to stateful evaluation. Use stateless rules for simple allow/deny by IP range, and stateful rules for application-aware filtering like domain-based rules or IPS signatures.

How does capacity work for rule groups?

Each rule group has a capacity setting that determines the maximum number of rules it can contain. Stateless rules consume capacity based on the number of protocol/port/CIDR combinations. Stateful rules each consume one capacity unit for standard rules and variable amounts for Suricata rules. A firewall policy can reference multiple rule groups up to a combined maximum of 30,000 stateless and 30,000 stateful capacity units. You must set capacity at creation time and cannot reduce it later, so plan for growth.

Network Firewall Rule Builder

NetworkingAWS

Build AWS Network Firewall stateful and stateless rule group configurations.

Last verified: May 2026

Network Firewall Configuration

Build Network Firewall rule group configs with stateful/stateless rules and domain filtering.

Required Fields

RuleGroupNameTypeCapacityRuleGroup.RulesSource

Generated Output

Output will appear here...

About This Tool

AWS Network Firewall is a managed stateful firewall service that provides deep packet inspection, intrusion prevention, and web filtering for VPC traffic. Rules are organized into rule groups — stateless rule groups evaluate each packet independently using 5-tuple matching, while stateful rule groups track connection state and support Suricata-compatible IPS rules and domain list filtering. The Network Firewall Rule Builder helps you construct both stateless and stateful rule group configurations with proper priority ordering, action settings, and rule syntax.

Real-World Scenario

Your security team mandates that all production VPCs route outbound traffic through Network Firewall with domain-based allow-listing. The builder generates: a stateful rule group with a HOME_NET allow list of approved domains (github.com, npm registry, AWS APIs, monitoring/logging endpoints), default action drop for everything else. After deploy, attempted outbound to malicious domains is blocked at the firewall — preventing the entire class of 'compromised workload calls home' attacks. Rule group capacity at 5,000 (2x current need) gives room to add domains as legitimate needs emerge.

When to Use This Tool

•Building stateful rules that allow outbound HTTPS traffic only to approved domains while blocking everything else
•Creating stateless rules that drop traffic from known malicious CIDR ranges before stateful inspection
•Defining Suricata-compatible IPS rules for detecting and blocking common network attack patterns
•Configuring rule groups with proper capacity units to stay within the per-firewall-policy limits

Pro Tips

TIP

Use stateful rule groups for almost everything in 2026. Stateless rules are tricky to write correctly because you have to manually handle return traffic. Stateful rules handle bidirectional traffic automatically and support domain-based filtering (which stateless can't). Reserve stateless for very high-throughput allow/deny by IP that doesn't need state tracking.

TIP

Domain list filtering in stateful rules is the killer feature for outbound traffic control. Build an allow-list of approved domains (github.com, api.stripe.com, etc.) and DENY everything else. This prevents data exfiltration via DNS and unauthorized API calls — a real-world breach prevention pattern.

TIP

Capacity is set at rule group creation and CANNOT be reduced. If you set capacity too low and add many rules, you'll need to recreate the rule group. Always over-provision capacity at creation time — typically 2-3x what you initially need.

How It Works Under the Hood

The builder constructs AWS Network Firewall rule groups in two flavors: stateless (with rules containing 5-tuple matching, action: pass/drop/forward) and stateful (with Suricata-compatible rules, domain lists, or default actions for connection state). Output is generated as aws network-firewall create-rule-group commands and Terraform aws_networkfirewall_rule_group resources, including capacity calculations.

Frequently Asked Questions

What is the difference between stateless and stateful rule groups?: Stateless rules evaluate each packet independently based on source/destination IP, port, and protocol — they have no concept of connections or sessions. Stateful rules track the full connection state, meaning a rule allowing outbound traffic automatically permits the return traffic. Stateless rules are evaluated first by priority number, and packets that do not match any stateless rule are forwarded to stateful evaluation. Use stateless rules for simple allow/deny by IP range, and stateful rules for application-aware filtering like domain-based rules or IPS signatures.
How does capacity work for rule groups?: Each rule group has a capacity setting that determines the maximum number of rules it can contain. Stateless rules consume capacity based on the number of protocol/port/CIDR combinations. Stateful rules each consume one capacity unit for standard rules and variable amounts for Suricata rules. A firewall policy can reference multiple rule groups up to a combined maximum of 30,000 stateless and 30,000 stateful capacity units. You must set capacity at creation time and cannot reduce it later, so plan for growth.

Related Learning Guides

AWS Networking Deep Dive30 min read

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.