This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Securing the Front Door: How to Protect Ingress Traffic with Cloud NGFW for AWS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Securing the Front Door: How to Protect Ingress Traffic with Cloud NGFW for AWS

ssyed
L4 Transporter

on ‎12-10-2025 10:55 AM

No ratings

Introduction

 

Public-facing applications are frequent targets for varied cyber threats. Because threat actors often embed malicious payloads within valid HTTPS traffic, traditional Layer 3 and Layer 4 controls are often insufficient for protecting the network edge.

 

Previously, securing ingress traffic required deploying and managing fleets of self-managed virtual firewalls. This approach introduces operational complexity regarding patching, scaling, and high availability configuration.

 

Cloud NGFW for AWS, a managed service from Palo Alto Networks, addresses these challenges. It provides advanced security capabilities as a cloud-native service, eliminating the need to manage infrastructure.

 

This post details the architecture for protecting inbound traffic using Cloud NGFW, specifically utilizing AWS Ingress Routing.

 

The Need for Layer 7 Visibility at the Edge

 

While AWS Security Groups and Network ACLs are fundamental to VPC security, they operate at Layer 3 and Layer 4 (IPs and ports). They cannot inspect payload content. Consequently, a Security Group allowing port 443 will accept traffic regardless of whether the payload contains legitimate user data or a malicious exploit.

 

Cloud NGFW extends security beyond L4 by providing:

 

  • Layer 7 Visibility: Identification of applications using App-ID rather than port numbers.
  • Threat Prevention: Detection and blocking of exploits, malware, and C2 traffic.
  • Inbound TLS/SSL Decryption: Decryption and inspection of encrypted traffic flows.
  • Managed Scalability: Leveraging AWS Gateway Load Balancer (GWLB) to automatically scale with traffic demand, removing the need for manual autoscaling configuration.

 

Ingress Inspection Architecture

 

To inspect traffic originating from the internet, Cloud NGFW utilizes AWS VPC Ingress Routing (Edge Association). This pattern inserts a security appliance between the Internet Gateway (IGW) and the application subnet.

 

Traffic Flow

 

  1. Internet to IGW: A user sends a request to the application’s public IP or Load Balancer.
  2. IGW to Endpoint: The IGW route table directs traffic destined for the Application Subnet to the Cloud NGFW Endpoint.
  3. Inspection: Traffic is encapsulated and sent to the Cloud NGFW fleet for decryption and inspection.
  4. Endpoint to App: Validated traffic returns to the endpoint and is forwarded to the Application Load Balancer (ALB).
  5. Return Path: Outbound response traffic follows the symmetrical path back through the firewall to maintain stateful inspection.

 

Screenshot 2025-12-04 at 5.35.54 PM.png

Deployment Prerequisites

 

A standard deployment requires three subnets per Availability Zone (AZ) to ensure separation of duties:

 

  1. NgfwSubnet: Dedicated to Cloud NGFW endpoints.
  2. ALBSubnet: Hosting the public-facing Application Load Balancer.
  3. AppSubnet: Hosting the application workloads.

Deploy the Cloud NGFW resource from Strata Cloud Manager, and then create the Cloud NGFW  Endpoints (vpce-xxxx) in the specified Availability Zones.

 

Configuration: Routing Tables

 

Correct routing is critical for traffic interception. The following three route tables define the inspection flow.

  1. Internet Gateway Route Table (Edge Association)

This route table is associated specifically with the Internet Gateway.

  • Destination: ALBSubnet CIDR
  • Target: Cloud NGFW Endpoint
  • Function: Redirects incoming traffic intended for the ALB to the firewall first.
  1. NgfwSubnet Route Table
  • Destination: 0.0.0.0/0
  • Target: Internet Gateway (IGW)
  • Function: Allows the firewall to send response traffic back to the internet and access signature updates.
  1. ALB Subnet Route Table
  • Destination: 0.0.0.0/0
  • Target: Cloud NGFW Endpoint
  • Function: Ensures return traffic from the application is routed back through the firewall, maintaining flow symmetry.

 

Security Policy Configuration

 

Traffic control is managed via a Rulestack. To ensure comprehensive protection, the following configurations are recommended:

 

  • Application Allow Rules: Explicitly allow required applications (e.g., ssl, web-browsing).
  • Threat Prevention Profiles: Enable profiles to detect and block known vulnerabilities and spyware.
  • SSL Decryption: Configure inbound decryption using server certificates stored in AWS Secrets Manager to enable inspection of encrypted payloads.

 

Best Practices

 

  • Multi-AZ Deployment: Provision Cloud NGFW endpoints in every Availability Zone where application workloads exist. Traffic cannot be inspected in an AZ if a local endpoint is missing.
  • Enable Decryption: Layer 7 inspection is ineffective on encrypted streams without SSL decryption enabled.

 

Conclusion

 

Cloud NGFW for AWS provides enterprise-grade security for ingress traffic without the operational overhead of managing infrastructure. By integrating with AWS Ingress Routing and Gateway Load Balancer, the service enables inline inspection and threat prevention while preserving cloud-native scalability.

 

Rate this article:
0 Likes Likes
  • 63 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎12-10-2025 10:54 AM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks