Cloud NGFW for AWS
Cloud NGFW Scalability Across Multiple AWS VPCs
Table of Contents
Cloud NGFW Scalability Across Multiple AWS VPCs
Learn about how to scale your Cloud NGFW resource across multiple AWS
VPCs.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
A Cloud NGFW resource provides NGFW capabilities for your VPC. This resource has built-in
resiliency, scalability and lifecycle management. A NGFW resource spans multiple AWS
availability zones, which are distinct locations within an AWS Region, engineered to be
isolated from failures in other Availability Zones. They provide inexpensive,
low-latency network connectivity to other Availability Zones in the same AWS Region.
A NGFW resource is a gateway load balancer-based VPC endpoint service. To use a NGFW resource,
you create a dedicated subnet in your VPC for each desired AWS availability zone. You
then create NGFW endpoints (also known as Gateway Load Balancer endpoints) on the
subnets and update the VPC route tables to send traffic through these endpoints.
You previously created the Cloud NGFW resource and dedicated it to a single VPC in your
AWS environment. You could use the Cloud NGFW resource by creating NGFW endpoints in
that VPC. This dedicated resource would be sufficient if you use Cloud NGFW resources in
a centralized deployment.
In the centralized architecture model, a dedicated security VPC provides a simplified and
central approach to managing advanced access control, and threat inspection of traffic
using an AWS Transit Gateway for all applications in
the spoke VPCs. You would then configure route rules in the application VPCs and the
transit gateway to redirect traffic to the security VPC for inspection. However, your
deployment may require a hybrid architecture model, where the
spoke VPCs can use the centralized VPC for east-west inspection. This model also allows
distributing the inspection points (NGFW resources) on each application VPC that needs
protection for its Internet Ingress/Egress traffic. However, you would incur hourly
costs for each NGFW resource in your deployment, which you might want to avoid.
In the image below, single VPC NGFW resources are in a combined deployment architecture,
which forces you to incur additional costs for securing multiple VPCs:
Multi-VPC NGFW Resources
With multi-VPC NGFW resources, you can create endpoints for an NGFW resource in
different VPCs and route traffic to the NGFW resource for inspection:
Having these VPCs in different AWS accounts provides significant operational
benefits:
- Deployment flexibility. You can share Cloud NGFW resources across multiple VPCs in different AWS accounts.
- Scalable connectivity. Create up to 50 Cloud NGFW endpoints (also known as Gateway Load Balancer endpoints) across different VPCs and send traffic through these endpoints for NGFW inspection.
- Cost effectiveness. Reduce the number of NGFW resources needed to
protect your AWS environment and consolidate your overall network security
posture. There is no additional cost to share Cloud NGFW resources across
multiple VPCs. You pay AWS directly for the Cloud NGFW endpoints (Gateway
Load Balancer endpoints) that you would use to send traffic to the NGFW
resource.Multi-VPC functionality is available in all Cloud NGFW for AWS supported regions. Refer to the pricing page for more details. Refer to the Multi-VPC Cloud NGFW Resource video for more information.