Cloud NGFW for AWS Distributed Deployments
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
Cloud NGFW for AWS Distributed Deployments
Cloud NGFW for AWS distributed deployments.
In a distributed deployment, each VPC that requires protection has its own NGFW. This deployment
method is less complicated and, therefore, reduces the chance of misconfiguration. For
additional examples of distributed deployments, see Cloud NGFW for AWS Deployment
Architectures.
Ingress Traffic Inspection
- Traffic destined to the public IP of the Application Load Balancer (ALB) arrives at the internet gateway.
- The Internet Gateway (IGW) forwards the traffic to the application load balancer.
- Per the ALB subnet, traffic to the target group (workloads on EC2) are forwarded to the NGFW endpoint.
- The endpoint transparently sends the traffic to the firewall resource for inspection.
- If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
- Per the firewall subnet route table, traffic is forwarded to the workload servers.
Egress Traffic Inspection
- Any traffic initiated from the workload servers and destined for the internet is forwarded to the NGFW endpoint.
- The endpoint sends the traffic to the firewall resource for inspection.
- If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
- Per the firewall subnet route table, traffic is forwarded to the NAT gateway.
- The NAT gateway route table forwards the traffic to the internet gateway.
- Traffic is sent to the internt.