What happened
Published July 1, 2026: AWS Network Firewall now supports container attribute-based rules for Amazon EKS and ECS clusters, enabling security policies keyed to container metadata (pod labels, task definitions, image tags). The AWS blog explicitly calls out AI/ML workloads as a primary use case, allowing teams to microsegment model-serving containers, agent runtimes, and data-pipeline containers from other workloads without per-IP rule management.
Why it matters
Closes a long-standing gap for AI/ML workload isolation on AWS: previously, network-level rules couldn't distinguish between an LLM inference container and a general app container sharing the same node. Container-attribute rules enable least-privilege network policies for agent runtimes without manual IP tracking.
Applicability
AWS customers running AI/ML workloads on EKS or ECS should evaluate container attribute-based rules to replace overly broad security group rules; especially relevant for teams running agentic runtimes (AWS Bedrock AgentCore, custom LangChain containers) alongside sensitive data services.