>
    Strata Copilot
    Cloud NGFW for AWS Combined Deployment
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Combined Deployment
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW for AWS Combined Deployment

    Table of Contents

    Cloud NGFW for AWS Combined Deployment

    Learn about combined deployments for your Cloud NGFW for AWS resource.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    In a combined deployment model:
    • the combination of cross-account NGFW endpoints exist with hub-and-spoke VPC connectivity.
    • the hub of the topology, or transit gateway, is the central point of connectivity between VPCs for east-west and outbound traffic security.
    • cross account NGFW endpoints in the application VPCs provide the inbound traffic security.

    Combined Deployment for Ingress/Egress Traffic Inspection

    In this deployment model:
    1. Traffic initiated from a client on the internet and destined to the public IP of the application load balancer arrives at the internet gateway (IGW). The IGW forwards the traffic to the application load balancer.
    2. As per the Application load balancer subnet, any traffic going to the target group (workloads on EC2) are forwarded to the NGFW endpoint.
    3. The endpoint transparently sends the traffic to the firewall resource for inspection.
    4. If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
    5. As per the firewall subnet route table, traffic is forwarded to the workload servers.
      1. Traffic from a workload running in spoke VPC A is destined for the internet.
      2. The transit gateway (TGW) spoke route table forwards all the traffic to the centralized security VPC.
      3. The TGW subnet route table of the security VPC attachment sends all the traffic to the NGFW endpoint.
      4. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
      5. If traffic is allowed, then the NGFW resource sends traffic back to the endpoint.
      6. The firewall subnet route table forwards all the traffic to the NAT gateway.
      7. The NAT gateway forwards the traffic to the destination through the IGW.

    Combined Deployment for Ingress/Egress (Egress NAT) Traffic Inspection

    In this deployment model:
    1. Traffic initiated from a client on the internet and destined to the public IP of the application load balancer arrives at the internet gateway (IGW). The IGW forwards the traffic to the application load balancer.
    2. As per the Application load balancer subnet, any traffic going to the target group (workloads on EC2) are forwarded to the NGFW endpoint.
    3. The endpoint transparently sends the traffic to the firewall resource for inspection.
    4. If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
    5. As per the firewall subnet route table, traffic is forwarded to workload servers.
      1. Traffic from a workload running in spoke VPC A is destined for the internet.
      2. Traffic from the source instance is forwarded to the transit gateway (TGW) through the attachment.
      3. The TGW spoke route table forwards all the traffic to the centralized security VPC.
      4. The TGW subnet route table of the security VPC attachment sends all the traffic to the NGFW endpoint.
      5. The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
      6. The NAT gateway forwards the traffic to the destination through the IGW.

    © 2025 Palo Alto Networks, Inc. All rights reserved.