Cloud NGFW for AWS
Cloud NGFW Resource and NGFW Endpoints
Table of Contents
Cloud NGFW Resource and NGFW Endpoints
Learn about Cloud NGFW for AWS resources and endpoints.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The NGFW is a firewall resource, dedicated to the VPC you specify, that provide
next-generation firewall capabilities. Upon creation, a NGFW is associated with one or
more VPCs. NGFW endpoints are constructs created—manually or automatically—in each
availability zone in the VPCs you specify. The NGFW applies your security policy to the
traffic received by the NGFW endpoints and enforces that policy. When creating your
NGFW, you must specify at least one VPC and a local rulestack. Additionally, you must
also specify how and where the associated NGFW endpoints are deployed.
If you subscribed to Cloud NGFW and created a tenant
after July 21, 2025 you used the simplified onboarding process;
with this new process there are some changes in endpoint management. See Changes
in Endpoint Management with Simplified Onboarding.
NGFW endpoints are responsible for directing traffic to the NGFW for inspection and
enforcement. NGFW endpoints intercept traffic and route it to the NGFW for inspection
and policy enforcement. There are two management modes that can be used to create
endpoints automatically or manually.
- In a service-managed mode, the Cloud NGFW tenant creates an endpoint in each to subnet you specify. The NGFW service retrieves a list of subnets in the VPC you specified and, from that list, you choose the subnets that should have an endpoint.
- In a customer-managed mode, you choose existing availability zones that need to be secured in your specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen availability zones. After the NGFW has been created, you must go to the AWS console to complete the NGFW endpoint creation process.
After creating an NGFW and NGFW endpoints, you must update your AWS route tables to
ensure that traffic is sent to the NGFW. Which route tables you update and how you
update them depends on your specific deployment. See Direct Traffic to Cloud NGFW for more
information for deployment examples with example route tables to help guide
you.
Changes in Endpoint Management with Simplified Onboarding
The simplified onboarding process resolves the friction associated with creating and
managing endpoints during the onboarding
process. Previously, NGFW endpoints were created - either manually or
automatically - in each availability zone in the VPCs you specified. The
NGFW would apply security policy to the traffic received by the NGFW endpoints; when
you created the NGFW you had to specify at least one VPC and a local rulestack, and
specify how and where the associated NGFW endpoints were deployed.
With simplified onboarding, the endpoint management paradigm changes. The concept of
management modes (service-managed or customer-managed) no longer
requires you to create an endpoint in each subnet, or choose an availability zone in
your specified VPC. You can now create and manage endpoints without onboarding your
AWS account if you don’t intend to harvest tags from the application workloads.
Simplified onboarding supports both customer managed and
service-managed modes. Additionally, it supports:
- The manual addition of endpoints using the Cloud NGFW console.
- Bulk addition/deletion of endpoints.
- Up to 300 AWS accounts for creating Cloud NGFW and customer-managed endpoints.
When using simplified onboarding, consider the following:
- To create a Cloud NGFW endpoint you must first onboard the account.
- You must allowlist the account to create Cloud NGFW endpoints.
- After onboarding an account and including it in the allowlist, the account appears in the Linked AWS Accounts section of the Endpoint Management page.
- You need multiple subnets for a VPC to create multiple Cloud NGFW endpoints.
- Creating multiple endpoints on a single subnet is not supported.
You cannot delete endpoints configured for customer-managed
mode.