NetworkFirewall.1: Firewalls should span multiple AZs

What does AWS Security Hub NetworkFirewall.1 check?

NetworkFirewall.1 evaluates the AWS::NetworkFirewall::Firewall resource and fails when a firewall is deployed in only one Availability Zone. A firewall gets one inspection endpoint per associated subnet, and traffic in each AZ routes through that AZ's endpoint.

Why does NetworkFirewall.1 matter?

A Network Firewall is almost always inline, so traffic must pass through it to reach the workload. When the endpoint lives in a single AZ, an event in that one zone severs the inspection path. If your route tables hairpin every zone's traffic through that single endpoint, a one-zone failure can take down connectivity for workloads in zones that are otherwise perfectly healthy.

How do I fix NetworkFirewall.1?

1. Associate the firewall with a dedicated subnet in each AZ where you run workloads.
2. Update route tables so each AZ's traffic uses the firewall endpoint in that same AZ.
3. Confirm endpoints reach the READY state in every zone before relying on the path.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3