This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

New Deployment Model: Integrating Cloud NGFW for AWS with Regional NAT Gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Deployment Model: Integrating Cloud NGFW for AWS with Regional NAT Gateway

ssyed
L4 Transporter

‎12-10-2025 10:32 AM - edited ‎12-10-2025 02:24 PM

No ratings

AWS recently launched the Regional NAT Gateway, an option that simplifies outbound traffic handling in Virtual Private Clouds (VPCs). For customers using Cloud NGFW for AWS, this feature reduces architectural overhead, increases resiliency, and maintains a strong security posture for egress traffic.

 

This post details how Cloud NGFW uses the Regional NAT Gateway to establish a scalable, secure outbound inspection architecture.

 

Cloud NGFW for AWS: Outbound Security Control

 

Cloud NGFW for AWS is a managed, cloud-native firewall service that delivers:

 

  • Threat Prevention
  • URL Filtering
  • App-ID
  • Outbound policy controls
  • Logging and monitoring (via Amazon CloudWatch , Panorama or SCM)

Cloud NGFW acts as the primary inspection layer for outbound traffic. The VPC routing table directs internet-bound flows from workloads to Cloud NGFW endpoints (vpce-xxxx). The firewall inspects the traffic using Palo Alto Networks security services and forwards permitted traffic to the next-hop egress component.

 

Historically, this next hop required a Network Address Translation (NAT) Gateway in every Availability Zone (AZ). The Regional NAT Gateway replaces this requirement with a single regional resource.

 

The Shift from Zonal to Regional Egress

 

Legacy egress architectures utilizing Cloud NGFW required specific infrastructure per AZ:

  • One Cloud NGFW endpoint
  • One NAT Gateway
  • One route table
  • Specific coordination to prevent asymmetric routing

 

This approach demanded significant infrastructure management. The Regional NAT Gateway consolidates the NAT layer while Cloud NGFW retains its role as the inspection point.

 

Key architectural changes:

 

  1. Consolidated NAT Layer: You deploy one Regional NAT Gateway instead of multiple zonal NAT Gateways.
  2. Preserved Inspection: Cloud NGFW endpoints continue to enforce security policies.
  3. Aligned Availability: The Regional NAT Gateway matches the Cloud NGFW multi-AZ endpoint design, abstracting AZ-level complexity from the routing configuration.

 

Architecture: Cloud NGFW as the Enforcement Layer

 

In this architecture, Cloud NGFW enforces mandatory policies for all outbound traffic, while the Regional NAT Gateway handles address translation.

 

Outbound Traffic Flow:

  1. Workload to Firewall: The workload subnet routes 0.0.0.0/0 to the Cloud NGFW Endpoint (vpce-xxxx).
  2. Inspection: Cloud NGFW performs Threat Prevention, URL Filtering, App-ID controls, and logging.
  3. Firewall to NAT: Cloud NGFW forwards inspected traffic to the Regional NAT Gateway.
  4. NAT to Internet: The Regional NAT Gateway performs Source NAT (SNAT) and routes traffic to the Internet Gateway.

Return traffic traverses the same path, maintaining session consistency.

 

Architectural Diagram

 

Screenshot 2025-12-08 at 4.56.49 PM.png

Note: Recommended only for the Distributed Deployment Model.

 

Benefits for Cloud NGFW Deployments

 

1. Simplified Routing Configuration

Cloud NGFW endpoints operate at the AZ level. Previously, this required matching per-AZ NAT gateways and route tables. Regional NAT Gateway removes this dependency. Administrators configure a single route from the firewall endpoints to the Regional NAT Gateway, regardless of the originating AZ.

 

2. Regional Resiliency

Cloud NGFW ensures high availability by provisioning endpoints in each AZ. The Regional NAT Gateway provides built-in regional resiliency. If a specific AZ becomes unhealthy, the NAT layer remains available, preventing traffic blackholes.

 

The Regional NAT Gateway supports a single NAT resource for the entire region, simplifying Resource Access Manager (RAM) sharing and multi-account setups.

 

Implementation Steps

 

Follow these steps to integrate Cloud NGFW with a Regional NAT Gateway.

 

  1. Deploy Cloud NGFW

 

From the SCM console, create the Cloud NGFW instance. This provisions the NGFW endpoints in your selected Availability Zones.

 

  1. Deploy Regional NAT Gateway

 

In the Amazon VPC Console:

 

  • Navigate to NAT Gateways.
  • Select Create NAT Gateway.
  • Choose the Regional connectivity type.
  • Attach an Elastic IP.
  • Select the VPC

 

  1. Route Workload Traffic to Cloud NGFW

 

Update the workload subnet route tables to direct default traffic (0.0.0.0/0) to the Cloud NGFW Endpoint ID (vpce-xxxx) specific to that AZ.

 

  1. Route Cloud NGFW Endpoints to Regional NAT Gateway

 

Update the route table associated with the Cloud NGFW endpoint subnets:

  • Destination: 0.0.0.0/0
  • Target: nat-xxxx (The ID of your new Regional NAT Gateway)

 

Conclusion

 

The AWS Regional NAT Gateway reduces infrastructure complexity for Cloud NGFW deployments. By consolidating the NAT layer and abstracting AZ-level routing, this architecture delivers a resilient, easier-to-maintain egress path while Cloud NGFW continues to enforce security standards.

 

Rate this article:
0 Likes Likes
  • 88 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎12-10-2025 02:24 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks