About Cloud NGFW for AWS

You can discover Cloud NGFW in the AWS Marketplace and consume it in your AWS Virtual Private Clouds (VPC). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based on URL categories and geolocations, SSL/TLS Decryption, etc.

Cloud NGFW Components

Cloud NGFW for AWS creates a number of components that work together to secure your AWS environment.
  • The
    Cloud NGFW tenant
    is an instantiation of the Cloud NGFW service associated with your AWS account when one of your AWS users subscribes to the service. Cloud NGFW designates you, the subscribing AWS user, as the administrator of Cloud NGFW tenant (the TenantAdmin user role), who can invite other users to the tenant. Based on the assigned role, other users can create Cloud NGFW resources and configure rulestacks with the tenant.
  • The
    Cloud NGFW Resource
    (or simply NGFW) is associated with your VPC and can span multiple availability zones. This resource has built-in resiliency, scalability, and life-cycle management.
  • To use the Cloud NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone, then create
    NGFW endpoints
    on the subnets and update the VPC route tables to send the traffic through these Cloud NGFW endpoints.
  • Rulestacks
    define the NGFW traffic filtering behavior such as advanced access control (App-ID, URL Filtering) and threat prevention. A rulestack includes a set of security rules and the associated objects and security profiles. To use a rulestack, you associate the rulestack with one or more NGFW resources. Cloud NGFW provides two types of rulestacks.
    Cloud NGFW supports two types of Rulestacks:
    • Local Rulestack
      : Local account administrators can associate a Local Rulestack with an NGFW in their AWS account. A local rulestack includes local rules
    • Global Rulestack
      : The AWS Firewall Manager administrator can author a Firewall Manager Service (FMS) policy and associate a Global Rulestack with it. AWS Firewall Manager manages the Global Rulestack across all these NGFWs in different AWS accounts of an AWS Organization. A Global Rulestack includes pre-rules and post-rules.

Cloud NGFW in Action

  1. Subscribe to the Cloud NGFW Service
    —Begin by subscribing to the Cloud NGFW for AWS service through the AWS Marketplace. After subscribing, you can create a Cloud NGFW Tenant. The subscribing AWS IAM user is the Tenant Administrator (TenantAdmin), which allows that user to invite additional users and assign roles. You must add your AWS account to the Cloud NGFW tenant. Adding your account grants the necessary permissions needed by Cloud NGFW to store logs, create NGFW endpoints, and access the keys needed for decryption.
  2. Create Rulestacks
    —After adding users and assigning roles in the Cloud NGFW tenant console, Local Rulestack Admins can author local rules and rulestacks.
  3. Create NGFWs
    —Deploy NGFW firewall resources to protect your VPCs. While creating your NGFWs, associate the local rulestacks you created previously.
    You have two options to create Cloud NGFW endpoints. In the first (service managed) option, you create a dedicated subnet in your VPC for each desired AWS availability zone, then specify those subnets when creating Cloud NGFW resources. In this option, Cloud NGFW creates the NGFW endpoints in your subnets. Alternatively, in the second (customer managed) option, you specify the desired AWS availability zones, where you want the NGFW resource to secure the traffic. In this option, Cloud NGFW creates a Cloud NGFW resource only that will manifest as VPC endpoint resources in your AWS account. You are then responsible for creating dedicated subnet in your VPC for each desired AWS availability zone, and create the VPC endpoints as well
  4. Update VPC Route Tables
    —After deploying your Cloud NGFW resource, you must Direct Traffic to Cloud NGFW for AWS by updating your VPC route tables. Traffic is then directed to the NGFW firewall resource for inspection and enforcement.

Two Ways to Access Cloud NGFW

You can log in to the AWS Marketplace and can subscribe to the Cloud NGFW for AWS serviceand create a Cloud NGFW tenant. As the subscribing user, you can invite additional users and assign those users with Cloud NGFW roles that allows them appropriately to create, list, describe, update and delete Cloud NGFW resources and Cloud NGFW rulestacks. When you create an NGFW, you specify the Amazon VPCs and the subnets that you need to secure. After creating the NGFW, you must update the route tables for your VPC gateways and subnets to route all traffic to the NGFW endpoint for inspection.
You also have the option to manage your Cloud NGFW service deployment using the AWS Firewall Manager service (FMS). The FMS allows you to use the Firewall Manager policy workflow provides a link to the Cloud NGFW tenant console to author a global rulestack and deploy NGFWs across multiple AWS accounts in your AWS Organization.
You can use the AWS Firewall Mananger console or APIs to manage Cloud NGFW in the same way that you manage your AWS Network Firewalls. Use the Firewall Manager policy creation workflow to create a global rulestack and deploy NGFWs across multiple AWS accounts in your AWS Organization. The Firewall Manager creates all the components of Cloud NGFW, including rulestacks and NGFW endpoints in the VPCs you specify.

Cloud NGFW Use Cases

Cloud NGFW provides you with the tools and functionality to secure inbound traffic, outbound traffic, and East-West traffic.
  • Inbound
    traffic refers to any traffic originating outside of your AWS region and bound for resources inside your application VPCs, such as servers or load balancers. Cloud NGFW can prevent malware and vulnerabilities from entering your VPC in the inbound traffic allowed by AWS security groups.
  • Outbound
    traffic refers to traffic originating within your application VPC and is bound for destinations outside of the AWS region. Cloud NGFW protects outbound traffic flows by ensuring that resources in your application VPC connect to allowed services and allowed URLs while preventing exfiltration of sensitive data and information.
  • East-West
    traffic is traffic that moves within an AWS region. Specifically, traffic between source and destination deployed in two different application VPCs or in two different subnets in the same VPCs. Cloud NGFW can stop the propagation of malware within your AWS environment.

Cloud NGFW Management

You can deploy Cloud NGFW in your AWS environment in multiple ways:
  • Cloud NGFW console
    —the Cloud NGFW console is a graphical user interface that provides a way to add and manage users and roles, configure your Cloud NGFW deployments, and define rulestacks and rules to protect your application VPCs.
  • AWS Firewall Manager
    —you can use the AWS Firewall Manager console to deploy Cloud NGFW across multiple AWS accounts in a AWS Organization. The Firewall Manager deploys Cloud NGFW components including creation of the AWS marketplace subscription, management of the Cloud NGFW tenant, creation of NGFWs, and NGFW endpoints in your VPCs. The FMS console redirects you to the Cloud NGFW tenant to author rules for your global rulestack.

Recommended For You