AWS Network Firewall

2026/06/30 - AWS Network Firewall - 5 new api methods

Changes  AWS Network Firewall now supports container associations for monitoring ECS and EKS workloads. You can create container associations to dynamically track the IP addresses of running containers in your Amazon ECS and Amazon EKS clusters.

ListContainerAssociations (new) Link ¶

Retrieves the metadata for the container associations that you have defined. You can optionally page through results.

See also: AWS API Documentation

Request Syntax

client.list_container_associations(
    MaxResults=123,
    NextToken='string'
)
type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Network Firewall to return for this request. If more objects are available, in the response, Network Firewall provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

type NextToken:

string

param NextToken:

When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

rtype:

dict

returns:

Response Syntax

{
    'ContainerAssociations': [
        {
            'Arn': 'string',
            'Name': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • ContainerAssociations (list) --

      The container association metadata objects.

      • (dict) --

        High-level information about a container association, returned by the ListContainerAssociations operation. You can use this information to retrieve the full details of a container association using DescribeContainerAssociation.

        • Arn (string) --

          The Amazon Resource Name (ARN) of the container association.

        • Name (string) --

          The descriptive name of the container association.

    • NextToken (string) --

      When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

DeleteContainerAssociation (new) Link ¶

Deletes the specified container association. When you delete a container association, Network Firewall stops monitoring the associated container clusters and removes the resolved IP addresses from firewall rules.

See also: AWS API Documentation

Request Syntax

client.delete_container_association(
    ContainerAssociationName='string',
    ContainerAssociationArn='string'
)
type ContainerAssociationName:

string

param ContainerAssociationName:

The descriptive name of the container association. You must specify the ARN or the name, and you can specify both.

type ContainerAssociationArn:

string

param ContainerAssociationArn:

The Amazon Resource Name (ARN) of the container association. You must specify the ARN or the name, and you can specify both.

rtype:

dict

returns:

Response Syntax

{
    'ContainerAssociationName': 'string',
    'ContainerAssociationArn': 'string',
    'Status': 'ACTIVE'|'CREATING'|'DELETING'
}

Response Structure

  • (dict) --

    • ContainerAssociationName (string) --

      The descriptive name of the container association.

    • ContainerAssociationArn (string) --

      The Amazon Resource Name (ARN) of the container association.

    • Status (string) --

      The current status of the container association.

DescribeContainerAssociation (new) Link ¶

Returns the properties of a container association.

See also: AWS API Documentation

Request Syntax

client.describe_container_association(
    ContainerAssociationName='string',
    ContainerAssociationArn='string'
)
type ContainerAssociationName:

string

param ContainerAssociationName:

The descriptive name of the container association. You must specify the ARN or the name, and you can specify both.

type ContainerAssociationArn:

string

param ContainerAssociationArn:

The Amazon Resource Name (ARN) of the container association. You must specify the ARN or the name, and you can specify both.

rtype:

dict

returns:

Response Syntax

{
    'ContainerAssociationName': 'string',
    'ContainerAssociationArn': 'string',
    'Description': 'string',
    'Type': 'ECS'|'EKS',
    'ContainerMonitoringConfigurations': [
        {
            'ClusterArn': 'string',
            'AttributeFilters': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'Status': 'ACTIVE'|'CREATING'|'DELETING',
    'ResolvedCidrCount': 123,
    'LastUpdatedTime': datetime(2015, 1, 1),
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'UpdateToken': 'string'
}

Response Structure

  • (dict) --

    • ContainerAssociationName (string) --

      The descriptive name of the container association.

    • ContainerAssociationArn (string) --

      The Amazon Resource Name (ARN) of the container association.

    • Description (string) --

      A description of the container association.

    • Type (string) --

      The type of container orchestration platform. Either ECS or EKS.

    • ContainerMonitoringConfigurations (list) --

      The container monitoring configurations for this container association.

      • (dict) --

        Defines a container cluster to monitor, along with optional attribute filters that narrow the scope of monitored containers within the cluster.

        • ClusterArn (string) --

          The Amazon Resource Name (ARN) of the container cluster to monitor.

        • AttributeFilters (list) --

          A list of key-value pairs that filter which containers within the cluster are monitored. Only containers that match the specified attributes are included.

          • (dict) --

            A key-value pair that defines a container attribute filter for a container monitoring configuration.

            • Key (string) --

              The key of the container attribute to filter on.

            • Value (string) --

              The value of the container attribute to filter on.

    • Status (string) --

      The current status of the container association.

    • ResolvedCidrCount (integer) --

      The number of CIDR blocks that have been resolved from the monitored containers for this container association.

    • LastUpdatedTime (datetime) --

      The last time that the container association was updated or resolved new container IP addresses.

    • Tags (list) --

      The key:value pairs associated with the resource.

      • (dict) --

        A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

        • Key (string) --

          The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.

        • Value (string) --

          The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.

    • UpdateToken (string) --

      A token used for optimistic locking. Network Firewall returns a token to your requests that access the container association. The token marks the state of the container association resource at the time of the request.

UpdateContainerAssociation (new) Link ¶

Updates the properties of an existing container association. Use this to modify the container monitoring configurations or description.

See also: AWS API Documentation

Request Syntax

client.update_container_association(
    ContainerAssociationName='string',
    ContainerAssociationArn='string',
    Description='string',
    Type='ECS'|'EKS',
    ContainerMonitoringConfigurations=[
        {
            'ClusterArn': 'string',
            'AttributeFilters': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    UpdateToken='string'
)
type ContainerAssociationName:

string

param ContainerAssociationName:

The descriptive name of the container association. You must specify the ARN or the name, and you can specify both.

type ContainerAssociationArn:

string

param ContainerAssociationArn:

The Amazon Resource Name (ARN) of the container association. You must specify the ARN or the name, and you can specify both.

type Description:

string

param Description:

A description of the container association.

type Type:

string

param Type:

[REQUIRED]

The type of container orchestration platform. This must match the type specified when the container association was created.

type ContainerMonitoringConfigurations:

list

param ContainerMonitoringConfigurations:

[REQUIRED]

The updated list of container monitoring configurations that define which clusters and container attributes to monitor.

  • (dict) --

    Defines a container cluster to monitor, along with optional attribute filters that narrow the scope of monitored containers within the cluster.

    • ClusterArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) of the container cluster to monitor.

    • AttributeFilters (list) --

      A list of key-value pairs that filter which containers within the cluster are monitored. Only containers that match the specified attributes are included.

      • (dict) --

        A key-value pair that defines a container attribute filter for a container monitoring configuration.

        • Key (string) -- [REQUIRED]

          The key of the container attribute to filter on.

        • Value (string) -- [REQUIRED]

          The value of the container attribute to filter on.

type Tags:

list

param Tags:

The key:value pairs associated with the resource.

  • (dict) --

    A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

    • Key (string) -- [REQUIRED]

      The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.

    • Value (string) -- [REQUIRED]

      The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.

type UpdateToken:

string

param UpdateToken:

[REQUIRED]

A token used for optimistic locking. Network Firewall returns a token to your requests that access the container association. The token marks the state of the container association resource at the time of the request. To make an update to the container association, provide the token in your request. Network Firewall uses the token to ensure that the container association hasn't changed since you last retrieved it. If it has changed, the operation fails with an InvalidTokenException. If this happens, retrieve the container association again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token.

rtype:

dict

returns:

Response Syntax

{
    'ContainerAssociationName': 'string',
    'ContainerAssociationArn': 'string',
    'Description': 'string',
    'Type': 'ECS'|'EKS',
    'ContainerMonitoringConfigurations': [
        {
            'ClusterArn': 'string',
            'AttributeFilters': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'Status': 'ACTIVE'|'CREATING'|'DELETING',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'UpdateToken': 'string'
}

Response Structure

  • (dict) --

    • ContainerAssociationName (string) --

      The descriptive name of the container association.

    • ContainerAssociationArn (string) --

      The Amazon Resource Name (ARN) of the container association.

    • Description (string) --

      A description of the container association.

    • Type (string) --

      The type of container orchestration platform. Either ECS or EKS.

    • ContainerMonitoringConfigurations (list) --

      The container monitoring configurations for this container association.

      • (dict) --

        Defines a container cluster to monitor, along with optional attribute filters that narrow the scope of monitored containers within the cluster.

        • ClusterArn (string) --

          The Amazon Resource Name (ARN) of the container cluster to monitor.

        • AttributeFilters (list) --

          A list of key-value pairs that filter which containers within the cluster are monitored. Only containers that match the specified attributes are included.

          • (dict) --

            A key-value pair that defines a container attribute filter for a container monitoring configuration.

            • Key (string) --

              The key of the container attribute to filter on.

            • Value (string) --

              The value of the container attribute to filter on.

    • Status (string) --

      The current status of the container association.

    • Tags (list) --

      The key:value pairs associated with the resource.

      • (dict) --

        A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

        • Key (string) --

          The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.

        • Value (string) --

          The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.

    • UpdateToken (string) --

      A token used for optimistic locking. Network Firewall returns a token to your requests that access the container association. The token marks the state of the container association resource at the time of the request.

CreateContainerAssociation (new) Link ¶

Creates a container association for Network Firewall. A container association links container clusters (ECS or EKS) to Network Firewall, enabling dynamic IP resolution for firewall rules based on container attributes.

To manage a container association's tags, use the standard Amazon Web Services resource tagging operations, ListTagsForResource, TagResource, and UntagResource.

To retrieve information about container associations, use ListContainerAssociations and DescribeContainerAssociation.

See also: AWS API Documentation

Request Syntax

client.create_container_association(
    ContainerAssociationName='string',
    Description='string',
    Type='ECS'|'EKS',
    ContainerMonitoringConfigurations=[
        {
            'ClusterArn': 'string',
            'AttributeFilters': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)
type ContainerAssociationName:

string

param ContainerAssociationName:

[REQUIRED]

The descriptive name of the container association. You can't change the name of a container association after you create it.

type Description:

string

param Description:

A description of the container association.

type Type:

string

param Type:

[REQUIRED]

The type of container orchestration platform for the clusters in this association. Valid values are ECS and EKS. You can't change the type after creation.

type ContainerMonitoringConfigurations:

list

param ContainerMonitoringConfigurations:

[REQUIRED]

The list of container monitoring configurations that define which clusters and container attributes to monitor.

  • (dict) --

    Defines a container cluster to monitor, along with optional attribute filters that narrow the scope of monitored containers within the cluster.

    • ClusterArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) of the container cluster to monitor.

    • AttributeFilters (list) --

      A list of key-value pairs that filter which containers within the cluster are monitored. Only containers that match the specified attributes are included.

      • (dict) --

        A key-value pair that defines a container attribute filter for a container monitoring configuration.

        • Key (string) -- [REQUIRED]

          The key of the container attribute to filter on.

        • Value (string) -- [REQUIRED]

          The value of the container attribute to filter on.

type Tags:

list

param Tags:

The key:value pairs to associate with the resource.

  • (dict) --

    A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

    • Key (string) -- [REQUIRED]

      The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.

    • Value (string) -- [REQUIRED]

      The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.

rtype:

dict

returns:

Response Syntax

{
    'ContainerAssociationName': 'string',
    'ContainerAssociationArn': 'string',
    'Description': 'string',
    'Type': 'ECS'|'EKS',
    'ContainerMonitoringConfigurations': [
        {
            'ClusterArn': 'string',
            'AttributeFilters': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ],
    'Status': 'ACTIVE'|'CREATING'|'DELETING',
    'Tags': [
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    'UpdateToken': 'string'
}

Response Structure

  • (dict) --

    • ContainerAssociationName (string) --

      The descriptive name of the container association.

    • ContainerAssociationArn (string) --

      The Amazon Resource Name (ARN) of the container association.

    • Description (string) --

      A description of the container association.

    • Type (string) --

      The type of container orchestration platform. Either ECS or EKS.

    • ContainerMonitoringConfigurations (list) --

      The container monitoring configurations for this container association.

      • (dict) --

        Defines a container cluster to monitor, along with optional attribute filters that narrow the scope of monitored containers within the cluster.

        • ClusterArn (string) --

          The Amazon Resource Name (ARN) of the container cluster to monitor.

        • AttributeFilters (list) --

          A list of key-value pairs that filter which containers within the cluster are monitored. Only containers that match the specified attributes are included.

          • (dict) --

            A key-value pair that defines a container attribute filter for a container monitoring configuration.

            • Key (string) --

              The key of the container attribute to filter on.

            • Value (string) --

              The value of the container attribute to filter on.

    • Status (string) --

      The current status of the container association.

    • Tags (list) --

      The key:value pairs associated with the resource.

      • (dict) --

        A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

        • Key (string) --

          The part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.

        • Value (string) --

          The part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.

    • UpdateToken (string) --

      A token used for optimistic locking. Network Firewall returns a token to your requests that access the container association. The token marks the state of the container association resource at the time of the request. To make an update to the container association, provide the token in your request. Network Firewall uses the token to ensure that the container association hasn't changed since you last retrieved it. If it has changed, the operation fails with an InvalidTokenException. If this happens, retrieve the container association again to get a current copy of it with a new token. Reapply your changes as needed, then try the operation again using the new token.