Cloud NGFW for AWS Centralized Deployments
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
Cloud NGFW for AWS Centralized Deployments
Cloud NGFW for AWS centralized deployments.
In a centralized deployment, your Cloud NGFW components are deployed in a centralized security
VPC. Traffic must always pass through an AWS Transit Gateway (TGW), which acts as a
network hub and simplifies the connectivity between VPCs, as well as, on-premises
networks.
For additional examples of centralized deployments, see Cloud NGFW for AWS Deployment
Architectures.
Centralized Egress Traffic Inspection
- Traffic from Spoke VPC A is destined for the internet.
- Traffic from the source instance is forwarded to the TGW through the attachment.
- TGW spoke route tables forward all the traffic to the Centralized Security VPC.
- The TGW subnet route table of the Security VPC attachment sends all traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
- If traffic is allowed, the NGFW resource traffic back to the endpoint.
- The firewall subnet route table forwards all traffic to the NAT Gateway.
- The NAT gateway forwards all traffic to the destination through the Internet Gateway (IGW).
Centralized Ingress Traffic Inspection
- An internet user attempts to access workloads running behind an Application Load Balancer (ALB). Traffic destined to the public IP of the ALB arrives at the internet gateway.
- The internet gateway forwards the traffic to the ALB. The ALB sends the request to the target group EC2 instances.
- Per the public subnet route, the ALB forwards the traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
- If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
- The firewall subnet route table sends all the traffic to the transit gateway.
- The security VPC route table associated with the centralized security VPC forwards target EC2 instance traffic to the Spoke VPC A.
Centralized East-West Traffic Inspection
- An EC2 instance in Spoke VPC A wants to communicate with an instance in Spoke VPC B.
- Traffic from the source instance is sent to the TGW through the attachment.
- The spoke route table forwards all traffic to the security VPC TGW attachment.
- The TGW attachment sends traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the NGFW endpoint.
- If traffic is allowed, the NGFW sends traffic back to the endpoint.
- The NGFW endpoint routes traffic to the TGW.
- The security VPC route table sends the traffic to the destination VPC attachment.
- The TGW attachment sends the traffic to the destination.
Centralized Dedicated Inbound Security VPC
- An internet user tries to access workloads running behind ALBs. Traffic destined to the public IP of the ALB arrives at the centralized inbound security VPC internet gateway.
- The internet gateway forwards the traffic to the ALB. The ALB then sends the request to the target group of EC2 instances.
- Per the public subnet route table, the application load balancer forwards the traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
- If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
- The firewall subnet route table sends all the traffic to the transit gateway.
- The security VPC route table associated with the centralized security VPC forwards target EC2 instances traffic to Spoke VPC A.
Centralized Dedicated Outbound Security VPC
- Traffic from a workload running in Spoke VPC B is destined for the internet.
- Traffic from the source instance is forwarded to the TGW through the attachment.
- The TGW spoke route table forwards all traffic to the centralized outbound security VPC.
- The TGW subnet route table of the security VPC attachment sends all the traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
- If the traffic is allowed, the NGFW resource sends traffic back to the endpoint.
- The firewall subnet route table forwards all the traffic to the NAT gateway.
- The NAT gateway forwards the traffic to the destination through the IGW.
Centralized Multi Region Traffic Inspection
- An EC2 instance in Spoke VPC A (Region A) wants to communicate with an instance in Spoke VPC B (Region B).
- The TGW route table in Region A sends all the traffic to the security VPC.
- The TGW in the security VPC sends the traffic to the Cloud NGFW endpoint.
- The endpoint forwards the traffic to the Cloud NGFW resource for inspection.
- If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
- The allowed traffic is forwarded to the TGW attachment.
- Per the security VPC TGW route table, the traffic is sent to Region B via TGW peering.
- The TGW in Region B sends the traffic to the security VPC in Region B.
- Per the TGW attachment route table, the traffic is forwarded to the NGFW endpoint.
- The NGFW endpoint sends the traffic to the Cloud NGFW resource for inspection.
- After inspection, the traffic is forwarded to the TGW attachment.
- Per the security VPC TGW route table, traffic is sent to the EC2 instance in Spoke VPC B.