feat(client-network-firewall): AWS Network Firewall now supports conf…

…iguring TCP idle timeout
aws · Oct 30, 2024 · bf77a24 · bf77a24
1 parent 2c0ec7d
commit bf77a24
Show file tree

Hide file tree

Showing 10 changed files with 69 additions and 14 deletions.
diff --git a/clients/client-network-firewall/README.md b/clients/client-network-firewall/README.md
@@ -32,9 +32,7 @@ Guide</a>.</p>
 prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
 perimeter of your VPC. This includes filtering traffic going to and coming from an internet
 gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
-with Suricata, a free, open source network analysis and threat detection engine.
-Network Firewall supports Suricata version 6.0.9. For information about Suricata,
-see the <a href="https://suricata.io/">Suricata website</a>.</p>
+with Suricata, a free, open source network analysis and threat detection engine. </p>
 <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
 The following are just a few examples: </p>
 <ul>
@@ -87,7 +85,7 @@ endpoints.</p>
 
 ## Installing
 
-To install the this package, simply type add or install @aws-sdk/client-network-firewall
+To install this package, simply type add or install @aws-sdk/client-network-firewall
 using your favorite package manager:
 
 - `npm install @aws-sdk/client-network-firewall`

diff --git a/clients/client-network-firewall/src/NetworkFirewall.ts b/clients/client-network-firewall/src/NetworkFirewall.ts
@@ -841,9 +841,7 @@ export interface NetworkFirewall {
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>

diff --git a/clients/client-network-firewall/src/NetworkFirewallClient.ts b/clients/client-network-firewall/src/NetworkFirewallClient.ts
@@ -449,9 +449,7 @@ export interface NetworkFirewallClientResolvedConfig extends NetworkFirewallClie
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>

diff --git a/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/CreateFirewallPolicyCommand.ts
@@ -82,6 +82,9 @@ export interface CreateFirewallPolicyCommandOutput extends CreateFirewallPolicyR
  *     StatefulEngineOptions: { // StatefulEngineOptions
  *       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  *       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ *       FlowTimeouts: { // FlowTimeouts
+ *         TcpIdleTimeoutSeconds: Number("int"),
+ *       },
  *     },
  *     TLSInspectionConfigurationArn: "STRING_VALUE",
  *     PolicyVariables: { // PolicyVariables

diff --git a/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/DescribeFirewallPolicyCommand.ts
@@ -106,6 +106,9 @@ export interface DescribeFirewallPolicyCommandOutput extends DescribeFirewallPol
  * //     StatefulEngineOptions: { // StatefulEngineOptions
  * //       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  * //       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ * //       FlowTimeouts: { // FlowTimeouts
+ * //         TcpIdleTimeoutSeconds: Number("int"),
+ * //       },
  * //     },
  * //     TLSInspectionConfigurationArn: "STRING_VALUE",
  * //     PolicyVariables: { // PolicyVariables

diff --git a/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts b/clients/client-network-firewall/src/commands/UpdateFirewallPolicyCommand.ts
@@ -81,6 +81,9 @@ export interface UpdateFirewallPolicyCommandOutput extends UpdateFirewallPolicyR
  *     StatefulEngineOptions: { // StatefulEngineOptions
  *       RuleOrder: "DEFAULT_ACTION_ORDER" || "STRICT_ORDER",
  *       StreamExceptionPolicy: "DROP" || "CONTINUE" || "REJECT",
+ *       FlowTimeouts: { // FlowTimeouts
+ *         TcpIdleTimeoutSeconds: Number("int"),
+ *       },
  *     },
  *     TLSInspectionConfigurationArn: "STRING_VALUE",
  *     PolicyVariables: { // PolicyVariables

diff --git a/clients/client-network-firewall/src/index.ts b/clients/client-network-firewall/src/index.ts
@@ -27,9 +27,7 @@
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source network analysis and threat detection engine.
- *       Network Firewall supports Suricata version 6.0.9. For information about Suricata,
- *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
+ *       with Suricata, a free, open source network analysis and threat detection engine. </p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>

diff --git a/clients/client-network-firewall/src/models/models_0.ts b/clients/client-network-firewall/src/models/models_0.ts
@@ -1113,6 +1113,25 @@ export interface PolicyVariables {
   RuleVariables?: Record<string, IPSet>;
 }
 
+/**
+ * <p>Describes the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle and Network Firewall removes the flow entry from its flow table.
+ *           Existing connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.
+ *      </p>
+ * @public
+ */
+export interface FlowTimeouts {
+  /**
+   * <p>The number of seconds that can pass without any TCP traffic sent through the firewall before the firewall determines that the connection is idle.
+   *         After the idle timeout passes, data packets are dropped, however, the next TCP SYN packet is considered a new flow and is processed by the firewall.
+   *         Clients or targets can use TCP keepalive packets to reset the idle timeout.
+   *          </p>
+   *          <p>You can define the <code>TcpIdleTimeoutSeconds</code> value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds.
+   *       </p>
+   * @public
+   */
+  TcpIdleTimeoutSeconds?: number;
+}
+
 /**
  * @public
  * @enum
@@ -1176,6 +1195,13 @@ export interface StatefulEngineOptions {
    * @public
    */
   StreamExceptionPolicy?: StreamExceptionPolicy;
+
+  /**
+   * <p>Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
+   *         </p>
+   * @public
+   */
+  FlowTimeouts?: FlowTimeouts;
 }
 
 /**

diff --git a/clients/client-network-firewall/src/protocols/Aws_json1_0.ts b/clients/client-network-firewall/src/protocols/Aws_json1_0.ts
@@ -163,6 +163,7 @@ import {
   EncryptionConfiguration,
   FirewallPolicy,
   FirewallPolicyResponse,
+  FlowTimeouts,
   Header,
   InsufficientCapacityException,
   InternalServerError,
@@ -1744,6 +1745,8 @@ const se_CreateRuleGroupRequest = (input: CreateRuleGroupRequest, context: __Ser
 
 // se_Flags omitted.
 
+// se_FlowTimeouts omitted.
+
 // se_Header omitted.
 
 // se_IPSet omitted.
@@ -2113,6 +2116,8 @@ const de_FirewallPolicyResponse = (output: any, context: __SerdeContext): Firewa
 
 // de_Flags omitted.
 
+// de_FlowTimeouts omitted.
+
 // de_Header omitted.
 
 // de_InsufficientCapacityException omitted.