A Cloud NGFW resource provides NGFW capabilities for your VPC. This resource has built-in resiliency, scalability and lifecycle management. A NGFW resource spans multiple AWS availability zones, which are distinct locations within an AWS Region, engineered to be isolated from failures in other Availability Zones. They provide inexpensive, low-latency network connectivity to other Availability Zones in the same AWS Region.

A NGFW resource is a gateway load balancer-based VPC endpoint service. To use a NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone. You then create NGFW endpoints (also known as Gateway Load Balancer endpoints) on the subnets and update the VPC route tables to send traffic through these endpoints.

You previously created the Cloud NGFW resource and dedicated it to a single VPC in your AWS environment. You could use the Cloud NGFW resource by creating NGFW endpoints in that VPC. This dedicated resource would be sufficient if you use Cloud NGFW resources in a centralized deployment.

In the centralized architecture model, a dedicated security VPC provides a simplified and central approach to managing advanced access control, and threat inspection of traffic using an AWS Transit Gateway for all applications in the spoke VPCs. You would then configure route rules in the application VPCs and the transit gateway to redirect traffic to the security VPC for inspection. However, your deployment may require a hybrid architecture model, where the spoke VPCs can use the centralized VPC for east-west inspection. This model also allows distributing the inspection points (NGFW resources) on each application VPC that needs protection for its Internet Ingress/Egress traffic. However, you would incur hourly costs for each NGFW resource in your deployment, which you might want to avoid.

In the image below, single VPC NGFW resources are in a combined deployment architecture, which forces you to incur additional costs for securing multiple VPCs: