@shinyaz

Network Firewall Proxy SourceIp is NATed when accessed via PrivateLink

1 min read
#aws#network-firewall#networking#vpc

In a multi-VPC setup with Network Firewall Proxy, I created a request:SourceIp rule targeting the App VPC EC2's IP (10.2.1.52/32). It didn't match.

Output
curl http://google.com/  → 403 (SourceIp rule not matched, default DENY)

PrivateLink endpoint traffic is NATed to the endpoint's ENI IP, so the original client IP never reaches the proxy. The official blog documents this for VPC Lattice / NLB integrations ("source traffic is NATed"), but the same applies to direct PrivateLink endpoints.

request:SourceVpc worked correctly across VPCs though. For cross-VPC source identification, use SourceVpc or SourceVpce instead.

See Network Firewall Proxy Hands-On — Multi-VPC Architecture with PrivateLink for details.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more