Cloud NGFW for AWS Centralized Deployments

In a centralized deployment, your Cloud NGFW components are deployed in a centralized security VPC. Traffic must always pass through an AWS Transit Gateway (TGW), which acts as a network hub and simplifies the connectivity between VPCs, as well as, on-premises networks.

Centralized East-West

  1. Traffic from the source instance is sent to the TGW ENI.
  2. The TGW ENI directs traffic to the TGW.
  3. The TGW routes traffic to security VPC TGW ENI.
  4. The TGW ENI sends traffic to NGFW endpoint and on to the NGFW for inspection.
  5. If the traffic is allowed, the NGFW sends traffic back to the NGFW endpoint. The traffic is then sent back to the TGW through the security VPC TGW endpoint.
  6. The TGW forwards the traffic to the TGW ENI in the destination VPC.
  7. Then the TGW ENI sends the traffic to the destination.

Centralized Outbound

  1. Traffic from the source instance is sent to the TGW ENI and on to the TGW.
  2. The TGW routes the traffic to the security VPC TGW ENI.
  3. The TGW ENI sends the traffic to the NGFW endpoint and on to the NGFW for inspection.
  4. If the traffic is allowed, the NGFW endpoint routes traffic to the NAT gateway.
  5. The NAT gateway forwards the traffic to the IGW and on to the destination.

Centralized Inbound

  1. Traffic from the internet arrives at the internet gateway.
  2. The internet gateway routes traffic to the application load balancer (ALB).
  3. The ALB then sends traffic to the ingress VPC TGW ENI.
  4. The TGW ENI sends traffic to the TGW.
  5. The TGW routes traffic to the security VPC TGW ENI.
  6. The TGW ENI sends traffic to NGFW endpoint and on to the NGFW for inspection.
  7. If the traffic is allowed, the NGFW endpoint sends the traffic to TGW.
  8. The TGW then routes the traffic to the protected VPC TGW ENI and then on to the destination.

Recommended For You