Cloud NGFW for AWS
    : Cloud NGFW for AWS Centralized Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Cloud NGFW Resource and NGFW Endpoints
    5. Direct Traffic to Cloud NGFW for AWS
    6. Cloud NGFW for AWS Centralized Deployments
    Download PDF

    Cloud NGFW for AWS

    Cloud NGFW for AWS Centralized Deployments

    Table of Contents

    Cloud NGFW for AWS Centralized Deployments

    Cloud NGFW for AWS centralized deployments.
    In a centralized deployment, your Cloud NGFW components are deployed in a centralized security VPC. Traffic must always pass through an AWS Transit Gateway (TGW), which acts as a network hub and simplifies the connectivity between VPCs, as well as, on-premises networks.
    For additional examples of centralized deployments, see Cloud NGFW for AWS Deployment Architectures.

    Centralized Egress Traffic Inspection

    1. Traffic from Spoke VPC A is destined for the internet.
    2. Traffic from the source instance is forwarded to the TGW through the attachment.
    3. TGW spoke route tables forward all the traffic to the Centralized Security VPC.
    4. The TGW subnet route table of the Security VPC attachment sends all traffic to the NGFW endpoint.
    5. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
    6. If traffic is allowed, the NGFW resource traffic back to the endpoint.
    7. The firewall subnet route table forwards all traffic to the NAT Gateway.
    8. The NAT gateway forwards all traffic to the destination through the Internet Gateway (IGW).

    Centralized Ingress Traffic Inspection

    1. An internet user attempts to access workloads running behind an Application Load Balancer (ALB). Traffic destined to the public IP of the ALB arrives at the internet gateway.
    2. The internet gateway forwards the traffic to the ALB. The ALB sends the request to the target group EC2 instances.
    3. Per the public subnet route, the ALB forwards the traffic to the NGFW endpoint.
    4. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
    5. If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
    6. The firewall subnet route table sends all the traffic to the transit gateway.
    7. The security VPC route table associated with the centralized security VPC forwards target EC2 instance traffic to the Spoke VPC A.

    Centralized East-West Traffic Inspection

    1. An EC2 instance in Spoke VPC A wants to communicate with an instance in Spoke VPC B.
    2. Traffic from the source instance is sent to the TGW through the attachment.
    3. The spoke route table forwards all traffic to the security VPC TGW attachment.
    4. The TGW attachment sends traffic to the NGFW endpoint.
    5. The NGFW endpoint automatically sends traffic to the NGFW endpoint.
    6. If traffic is allowed, the NGFW sends traffic back to the endpoint.
    7. The NGFW endpoint routes traffic to the TGW.
    8. The security VPC route table sends the traffic to the destination VPC attachment.
    9. The TGW attachment sends the traffic to the destination.

    Centralized Dedicated Inbound Security VPC

    1. An internet user tries to access workloads running behind ALBs. Traffic destined to the public IP of the ALB arrives at the centralized inbound security VPC internet gateway.
    2. The internet gateway forwards the traffic to the ALB. The ALB then sends the request to the target group of EC2 instances.
    3. Per the public subnet route table, the application load balancer forwards the traffic to the NGFW endpoint.
    4. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
    5. If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
    6. The firewall subnet route table sends all the traffic to the transit gateway.
    7. The security VPC route table associated with the centralized security VPC forwards target EC2 instances traffic to Spoke VPC A.

    Centralized Dedicated Outbound Security VPC

    1. Traffic from a workload running in Spoke VPC B is destined for the internet.
    2. Traffic from the source instance is forwarded to the TGW through the attachment.
    3. The TGW spoke route table forwards all traffic to the centralized outbound security VPC.
    4. The TGW subnet route table of the security VPC attachment sends all the traffic to the NGFW endpoint.
    5. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
    6. If the traffic is allowed, the NGFW resource sends traffic back to the endpoint.
    7. The firewall subnet route table forwards all the traffic to the NAT gateway.
    8. The NAT gateway forwards the traffic to the destination through the IGW.

    Centralized Multi Region Traffic Inspection

    1. An EC2 instance in Spoke VPC A (Region A) wants to communicate with an instance in Spoke VPC B (Region B).
    2. The TGW route table in Region A sends all the traffic to the security VPC.
    3. The TGW in the security VPC sends the traffic to the Cloud NGFW endpoint.
    4. The endpoint forwards the traffic to the Cloud NGFW resource for inspection.
    5. If traffic is allowed, the NGFW resource sends traffic back to the endpoint.
    6. The allowed traffic is forwarded to the TGW attachment.
    7. Per the security VPC TGW route table, the traffic is sent to Region B via TGW peering.
    8. The TGW in Region B sends the traffic to the security VPC in Region B.
    9. Per the TGW attachment route table, the traffic is forwarded to the NGFW endpoint.
    10. The NGFW endpoint sends the traffic to the Cloud NGFW resource for inspection.
    11. After inspection, the traffic is forwarded to the TGW attachment.
    12. Per the security VPC TGW route table, traffic is sent to the EC2 instance in Spoke VPC B.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.