Cloud NGFW for AWS
Cloud NGFW Resource and NGFW Endpoints
Table of Contents
Cloud NGFW Resource and NGFW Endpoints
Learn about Cloud NGFW for AWS resources and endpoints.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The NGFW is a firewall resource, dedicated to the VPC you specify, that provide
next-generation firewall capabilities. Upon creation, a NGFW is associated with one or
more VPCs. NGFW endpoints are constructs created—manually or automatically—in each
availability zone in the VPCs you specify. The NGFW applies your security policy to the
traffic received by the NGFW endpoints and enforces that policy. When creating your
NGFW, you must specify at least one VPC and a local rulestack. Additionally, you must
also specify how and where the associated NGFW endpoints are deployed.
NGFW endpoints are responsible for directing traffic to the NGFW for inspection and
enforcement. NGFW endpoints intercept traffic and route it to the NGFW for inspection
and policy enforcement. There are two management modes that can be used to create
endpoints automatically or manually.
- In a service-managed mode, the Cloud NGFW tenant creates an endpoint in each to subnet you specify. The NGFW service retrieves a list of subnets in the VPC you specified and, from that list, you choose the subnets that should have an endpoint.
- In a customer-managed mode, you choose existing availability zones that need to be secured in your specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen availability zones. After the NGFW has been created, you must go to the AWS console to complete the NGFW endpoint creation process.
After creating an NGFW and NGFW endpoints, you must update your AWS route tables to
ensure that traffic is sent to the NGFW. Which route tables you update and how you
update them depends on your specific deployment. See Direct Traffic to Cloud NGFW for more
information for deployment examples with example route tables to help guide
you.