Cloud NGFW for AWS Deployment Architectures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker
Did you find this article helpful? Yes No
No ratings

Cloud NGFW for AWS Deployment Architectures 

 

  1. Distributed Deployment Architecture

In a distributed deployment architecture, Cloud NGFW endpoints are deployed in each of the VPC’s availability zones to send traffic to its dedicated Cloud NGFW resource. Any traffic leaving the availability zone is redirected to the Cloud NGFW endpoint and sent to the Cloud NGFW  for inspection and enforcement. This model reduces the possibility of misconfiguration and limits the scope of impact.

 

ssyed_0-1648662214122.png
 
Figure 1: Cloud NGFW Distributed Deployment Architecture



  • Protect Inbound Traffic to a VPC 

 

ssyed_1-1648662214711.png

Figure 2: Cloud NGFW is deployed to protect Inbound Traffic from Internet (Single AZ)



 

ssyed_2-1648662214793.png

Figure 3: Cloud NGFW is deployed to protect Inbound Traffic from Internet (Multiple AZ)



 

  • Protect Outbound Traffic to Internet

 

ssyed_3-1648662214640.png

Figure 4: Cloud NGFW is deployed to protect Outbound Traffic to Internet (Single AZ)

 

 

 

ssyed_4-1648662214612.png

Figure 5: Cloud NGFW is deployed to protect Outbound Traffic to Internet (Multiple AZ)

 

 

 

  • Protect Traffic between TWO subnets in a VPC

 

ssyed_5-1648662214740.png

 

Figure 6: Cloud NGFW is deployed to protect traffic between two Subnets in a (Single AZ)

 

 

ssyed_6-1648662214692.png

Figure 7: Cloud NGFW is deployed to protect traffic between two Subnets in a (Multiple AZ)

 


2. Centralized Deployment Architecture

 

In a centralized deployment, a dedicated security VPC provides a central approach to managing access control and East-West threat prevention of traffic between VPCs and on-premises networks using a TGW.

 

You must specify the security VPC and Firewall subnet(s) when creating the Cloud NGFW. The Cloud NGFW endpoints are deployed in the firewall subnets.  Each Transit Gateway subnet requires a dedicated VPC route table to ensure the traffic is forwarded to the Cloud NGFW  endpoint within the same AZ.

 

These route tables have a default route (0.0.0.0/0) pointing towards the NGFW endpoint in the same AZ. 

 

Note: To ensure that the Cloud NGFW can inspect traffic that is routed between VPC attachments, you must enable appliance mode on the transit gateway VPC attachment for the security VPC.



 

ssyed_7-1648662214527.png

Figure 8: Cloud NGFW Centralized Deployment Architecture

 

 

 

  • Protect Outbound Traffic to Internet 


ssyed_0-1648664869366.png

 

Figure 9: Cloud NGFW is deployed to protect outbound traffic to Internet (Single AZ)

 

 

 

 

ssyed_1-1648664972541.png

 

Figure 10: Cloud NGFW is deployed to protect outbound traffic to Internet (Multiple AZ)

 

 

  • Protect Inbound Traffic to a VPC



ssyed_0-1648666670829.png

 

Figure 11: Cloud NGFW is deployed to protect inbound traffic to a VPC (Single AZ)




ssyed_1-1648666741366.png

 

Figure 12: Cloud NGFW is deployed to protect inbound traffic to a VPC (Multiple AZ)

 

 

  • Protect East-West Traffic between VPCs


ssyed_0-1648668102579.png

Figure 13: Cloud NGFW is deployed to protect East-West Traffic between VPCs (Single AZ)

 

 

ssyed_1-1648668161397.png

Figure 14: Cloud NGFW is deployed to protect East-West Traffic between VPCs (Multiple AZ)

Rate this article:
Register or Sign-in
Contributors
Article Dashboard
Version history
Last update:
‎11-07-2022 09:42 AM
Updated by: