In a distributed deployment, each VPC that requires protection has its own NGFW. This deployment
method is less complicated and, therefore, reduces the chance of misconfiguration. For
additional examples of distributed deployments, see Cloud NGFW for AWS Deployment
Architectures.
Ingress Traffic Inspection
Traffic destined to the public IP of the Application Load Balancer (ALB) arrives
at the internet gateway.
The Internet Gateway (IGW) forwards the traffic to the application load
balancer.
Per the ALB subnet, traffic to the target group (workloads on EC2) are forwarded
to the NGFW endpoint.
The endpoint transparently sends the traffic to the firewall resource for
inspection.
If the traffic is allowed, the firewall resource sends the traffic back to the
endpoint after inspection.
Per the firewall subnet route table, traffic is forwarded to the workload
servers.
Egress Traffic Inspection
Any traffic initiated from the workload servers and destined for the internet is
forwarded to the NGFW endpoint.
The endpoint sends the traffic to the firewall resource for inspection.
If the traffic is allowed, the firewall resource sends the traffic back to the
endpoint after inspection.
Per the firewall subnet route table, traffic is forwarded to the NAT
gateway.
The NAT gateway route table forwards the traffic to the internet gateway.
