Cloud NGFW Resource and NGFW Endpoints

After creating rulestacks on your Cloud NGFW tenant, you can associate them to associated NGFW resources and NGFW endpoints. Upon creation, a NGFW is associated with the specified VPC. NGFW endpoints are constructs created—manually or automatically—in each availability zone in the VPC you specify.
The NGFW is a firewall resource, dedicated to the VPC you specify, that provide next-generation firewall capabilities. The NGFW applies your security policy to the traffic received by the NGFW endpoints and enforces that policy. When creating your NGFW, you must specify a VPC and local rulestack. Additionally, you must also specify how and where the associated NGFW endpoints are deployed.
NGFW endpoints are responsible for directing traffic to the NGFW for inspection and enforcement. NGFW endpoints intercept traffic and route it to the NGFW for inspection and policy enforcement. There are two management modes that can be used to create endpoints automatically or manually.
  • In a
    service-managed mode
    , the Cloud NGFW tenant creates an endpoint in each to subnet you specify. The NGFW service retrieves a list of subnets in the VPC you specified and, from that list, you choose the subnets that should have an endpoint.
  • In a
    customer-managed mode
    , you choose existing availability zones that need to be secured in your specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen availability zones. After the NGFW has been created, you must go to the AWS console to complete the NGFW endpoint creation process.
After creating an NGFW and NGFW endpoints, you must update your AWS route tables to ensure that traffic is sent to the NGFW. Which route tables you update and how you update them depends on your specific deployment. See Direct Traffic to Cloud NGFW for AWS for deployment examples with example route tables to help guide you.

Recommended For You