Today, AWS announces container attribute-based rules for AWS Network Firewall, a capability that simplifies how you secure containerized workloads, including generative AI applications, running on Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS). You can now write firewall policies using native container constructs such as Namespace, Cluster Name, and Labels for Amazon EKS, and Cluster Name and Container Instance Attributes for Amazon ECS, instead of managing complex IP-based rules that break every time pods scale or restart. As organizations accelerate adoption of generative AI on Amazon EKS and Amazon ECS, this feature delivers the enterprise-grade network security controls needed to protect these dynamic, rapidly evolving environments.
With container attribute-based rules, you can apply TLS decryption for deep packet inspection of encrypted traffic, FQDN-based filtering to restrict specific pods to approved domains, URL category filtering, and GeoIP filtering—all automatically adapting as your containers scale. The native integration between AWS Network Firewall, Amazon EKS, and Amazon ECS enables centralized, multi-cluster security, helping you meet business and regulatory compliance.
Container attribute-based inspection is available at no additional cost as part of AWS Network Firewall. For a full list of supported regions, visit the AWS Capabilities by Region page.
To get started, visit AWS Network Firewall product page and service documentation .