AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2025-03-30 · Documentation medium

File: vpc/latest/userguide/security-vpc-bpa-basics.md

Summary

Added clarification about GWLB and Network Firewall behavior with VPC BPA, and appliance routing considerations

Security assessment

Enhances documentation for security feature (VPC Block Public Access) by clarifying coverage of network security services

Diff

diff --git a/vpc/latest/userguide/security-vpc-bpa-basics.md b/vpc/latest/userguide/security-vpc-bpa-basics.md
index c1adcc50c..05bbc3784 100644
--- a/vpc/latest/userguide/security-vpc-bpa-basics.md
+++ b/vpc/latest/userguide/security-vpc-bpa-basics.md
@@ -45,0 +46,2 @@ The following resources and services support VPC BPA and traffic to these servic
+  * **Gateway Load Balancer (GWLB)** : All inbound and outbound traffic is blocked even if the subnet containing GWLB endpoints is excluded.
+
@@ -55,0 +58,2 @@ The following resources and services support VPC BPA and traffic to these servic
+  * **AWS Network Firewall** : All inbound and outbound traffic is blocked even if the subnet containing firewall endpoints is excluded.
+
@@ -80 +84,6 @@ Traffic related to private connectivity, such as traffic for the following servi
-Traffic sent privately from resources in your VPC to other services running in your VPC, such as the EC2 DNS Resolver or Amazon OpenSearch Service, is allowed even when BPA is turned on because it does not pass through an internet gateway in your VPC. It is possible that these services may make requests to resources outside of the VPC on your behalf, for example, in order to resolve a DNS query, and may expose information about the activity of resources within your VPC if not mitigated through other security controls.
+  * If you are routing incoming and outgoing traffic through an appliance (such as a 3rd-party security or monitoring tool) running on an EC2 instance in a subnet, when using BPA, that subnet needs to be an exclusion for traffic to flow in and out of it. Other subnets sending traffic to the appliance subnet and not to the internet gateway do not need to be added as exclusions.
+
+  * Traffic sent privately from resources in your VPC to other services running in your VPC, such as the EC2 DNS Resolver or Amazon OpenSearch Service, is allowed even when BPA is turned on because it does not pass through an internet gateway in your VPC. It is possible that these services may make requests to resources outside of the VPC on your behalf, for example, in order to resolve a DNS query, and may expose information about the activity of resources within your VPC if not mitigated through other security controls.
+
+
+