Supported Cloud NGFW for AWS Deployments

You can deploy Cloud NGFW in a centralized model behind a Transit Gateway (TGW) with a Cloud NGFW resource deployed in a dedicated security VPC or in a distributed model, with a Cloud NGFW resource associated with each VPC.

Centralized Deployment

In a centralized deployment, a dedicated security VPC provides a central approach to managing access control and threat prevention of Inbound, Outbound and East-West traffic of your VPCs. You must specify the security VPC and subnet(s) when configuring Cloud NGFW. The NGFW endpoints are created and deployed in the specified VPC and subnets. You must then configure route rules on the application VPCs and TGW to redirect traffic to the security VPC for inspection, as well as, route rules for return traffic.
For more information and examples of centralized deployments, see Cloud NGFW for AWS Centralized Deployments.

Distributed Deployment

The distributed deployment model allows for the distribution of Cloud NGFWs across multiple VPC, while maintaining centralized security control. In this model, it is recommended that you use the AWS Firewall Manager to author a Firewall Manager policy that facilitates the deployment of NGFWs across multiple AWS accounts of an AWS organization. You are then directed to Cloud NGFW console to create global rulestacks and associate them with the Firewall Manager policy. The Firewall Manager then invokes Cloud NGFW APIs to create the NGFW with the associated global rulestacks that protect your application VPCs. Additionally, the AWS Firewall Manager uses AWS VPC APIs to create NGFW endpoints in the VPCs you specify.
For more information and examples of centralized deployments, see Cloud NGFW for AWS Distributed Deployments.

Recommended For You