Does the Domain-list rule groups in AWS Network Firewall applies for inbound traffic?

Question

I am currently learning about AWS network firewall. I created firewall with a domain-list rule where I was blocking certain domains. My assumption was that every requests to the protected subnets ( subnets which are inspected by the firewall) is inspected by the firewall and hence if I made a call like curl -H "Origin: https://blocked-domain.com" https://my-alb-in-protected-subnet.com then it will be blocked. But this request was successful.

Also I noticed that the rule works on the outbound traffic. I tried to make a curl to blocked-domains from an ec2 instance running inside the protected subnet and it got blocked successfully.

So does it mean that, the domain-list rule only applies on outbound traffic on the protected subnets ?

Appreciate your help to clarify this 🙏🏼

AWS network firewall : https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html Domain list rule : https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html

Answer 1

The Stateless Domainlist rule group type is only applied to the outbound. This detail is not mentioned in the user guide, but its mentioned in the FAQ

https://aws.amazon.com/network-firewall/faqs/#:~:text=domain%2Dbased%20outbound%20traffic%20filtering%20to%20help%20you%20meet%20compliance%20requirements