Amazon Network Firewall · JSON Structure

Openapi Rules Source List Structure

Stateful inspection criteria for a domain list rule group.

For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.

By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the HOME_NET rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see RuleVariables in this guide and Stateful domain list rule groups in Network Firewall in the Network Firewall Developer Guide.

Type: object Properties: 3 Required: 3
FirewallIntrusion DetectionNetwork SecurityVPC

RulesSourceList is a JSON Structure definition published by Amazon Network Firewall, describing 3 properties, of which 3 are required. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

Targets TargetTypes GeneratedRulesType

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/amazon-network-firewall/refs/heads/main/json-structure/openapi-rules-source-list-structure.json",
  "name": "RulesSourceList",
  "description": "<p>Stateful inspection criteria for a domain list rule group. </p> <p>For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.</p> <p>By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the <code>HOME_NET</code> rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see <a>RuleVariables</a> in this guide and <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html\">Stateful domain list rule groups in Network Firewall</a> in the <i>Network Firewall Developer Guide</i>.</p>",
  "type": "object",
  "properties": {
    "Targets": {
      "allOf": [
        {
          "$ref": "#/components/schemas/RuleTargets"
        },
        {
          "description": "<p>The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:</p> <ul> <li> <p>Explicit names. For example, <code>abc.example.com</code> matches only the domain <code>abc.example.com</code>.</p> </li> <li> <p>Names that use a domain wildcard, which you indicate with an initial '<code>.</code>'. For example,<code>.example.com</code> matches <code>example.com</code> and matches all subdomains of <code>example.com</code>, such as <code>abc.example.com</code> and <code>www.example.com</code>. </p> </li> </ul>"
        }
      ]
    },
    "TargetTypes": {
      "allOf": [
        {
          "$ref": "#/components/schemas/TargetTypes"
        },
        {
          "description": "The protocols you want to inspect. Specify <code>TLS_SNI</code> for <code>HTTPS</code>. Specify <code>HTTP_HOST</code> for <code>HTTP</code>. You can specify either or both. "
        }
      ]
    },
    "GeneratedRulesType": {
      "allOf": [
        {
          "$ref": "#/components/schemas/GeneratedRulesType"
        },
        {
          "description": "Whether you want to allow or deny access to the domains in your target list."
        }
      ]
    }
  },
  "required": [
    "Targets",
    "TargetTypes",
    "GeneratedRulesType"
  ]
}