>
    Cloud NGFW for AWS Centralized Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Centralized Deployments
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW for AWS Centralized Deployments

    Table of Contents

    Cloud NGFW for AWS Centralized Deployments

    Centralized deployments for the Cloud NGFW.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    In a centralized deployment, your Cloud NGFW components deploy in a centralized security VPC. Traffic must always pass-through an AWS Transit Gateway (TGW), which acts as a network hub and simplifies the connectivity between VPCs, as well as on-premises networks.
    For additional examples of centralized deployments, see Cloud NGFW for AWS Deployment Architectures.

    Centralized East-West

    1. Traffic from the source instance goes to the TGW Elastic Network Interface (ENI).
    2. The TGW Elastic Network Interface directs traffic to the TGW.
    3. The TGW routes traffic to security VPC TGW Elastic Network Interface.
    4. The TGW Elastic Network Interface sends traffic to the NGFW endpoint and on to the NGFW for inspection.
    5. If the traffic is allowed, the NGFW sends traffic back to the NGFW endpoint. The traffic is then sent back to the TGW through the security VPC TGW endpoint.
    6. The TGW forwards the traffic to the TGW Elastic Network Interface in the destination VPC.
    7. Then the TGW Elastic Network Interface sends the traffic to the destination.

    Centralized Outbound

    1. Traffic from the source instance is sent to the TGW Elastic Network Interface and on to the TGW.
    2. The TGW routes the traffic to the security VPC TGW Elastic Network Interface.
    3. The TGW Elastic Network Interface sends the traffic to the NGFW endpoint and on to the NGFW for inspection.
    4. If the traffic is allowed, the NGFW endpoint routes traffic to the NAT gateway.
    5. The NAT gateway forwards the traffic to the IGW and on to the destination.

    Centralized Inbound

    1. Traffic from the internet arrives at the internet gateway.
    2. The internet gateway routes traffic to the application load balancer (ALB).
    3. The ALB then sends traffic to the ingress VPC TGW Elastic Network Interface.
    4. The TGW Elastic Network Interface sends traffic to the TGW.
    5. The TGW routes traffic to the security VPC TGW Elastic Network Interface.
    6. The TGW Elastic Network Interface sends traffic to the NGFW endpoint and on to the NGFW for inspection.
    7. If the traffic is allowed, the NGFW endpoint sends the traffic to TGW.
    8. The TGW then routes the traffic to the protected VPC TGW Elastic Network Interface and then on to the destination.

    © 2024 Palo Alto Networks, Inc. All rights reserved.