Cloud NGFW Resource and NGFW Endpoints
Learn about Cloud NGFW for AWS resources and endpoints
The NGFW is a firewall resource, dedicated to the VPC
you specify, that provide next-generation firewall capabilities.
Upon creation, a NGFW is associated with one or more VPCs. NGFW
endpoints are constructs created—manually or automatically—in each
availability zone in the VPCs you specify. The NGFW applies your
security policy to the traffic received by the NGFW endpoints and
enforces that policy. When creating your NGFW, you must specify
at least one VPC and a local rulestack. Additionally, you must also
specify how and where the associated NGFW endpoints are deployed.
NGFW endpoints are responsible for directing traffic to the NGFW
for inspection and enforcement. NGFW endpoints intercept traffic
and route it to the NGFW for inspection and policy enforcement.
There are two management modes that can be used to create endpoints
automatically or manually.
- In aservice-managed mode, the Cloud NGFW tenant creates an endpoint in each to subnet you specify. The NGFW service retrieves a list of subnets in the VPC you specified and, from that list, you choose the subnets that should have an endpoint.
- In acustomer-managed mode, you choose existing availability zones that need to be secured in your specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen availability zones. After the NGFW has been created, you must go to the AWS console to complete the NGFW endpoint creation process.
After creating an NGFW and NGFW endpoints, you must update your
AWS route tables to ensure that traffic is sent to the NGFW. Which route
tables you update and how you update them depends on your specific
deployment. See Direct Traffic to Cloud NGFW for AWS for deployment
examples with example route tables to help guide you.
