Cloud NGFW for AWS Combined Deployment Model
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Cloud NGFW for AWS Pricing
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Cortex Data Lake
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
Cloud NGFW for AWS Combined Deployment Model
Cloud NGFW for AWS combined deployment model.
A combined deployment model uses a combination of cross-account NGFW endpoints with hub
and spoke VPC connectivity. The hub of the topology, or transit gateway, represents the
central point of connectivity between VPCs for east-west and outbound traffic security.
In this deployment, cross-account VPCs provide the inbound traffic security.
Ingress/Egress Traffic Inspection
- Traffic initiated from an internet client and destined to the public IP of the application load balancer arrives at the internet gateway (IGW). the IGW forwards the traffic to the application load balancer (ALB).
- Per the ALB subnet, any traffic going to the target group (workloads on EC2) is forwarded to the NGFW endpoint.
- The endpoint transparently sends the traffic to the firewall resource for inspection.
- If the traffic is allowed, the firewall resource sends the traffic back to the endpoint after inspection.
- Per the firewall subnet route table, traffic is forwarded to the workload servers:
- Traffic from a workload running in Spoke VPC A is destined for the internet.
- The Transit Gateway (TGW) spoke route table forwards all the traffic to the centralized security VPC.
- The TGW subnet route table of the security VPC attachment sends all the traffic to the NGFW endpoint.
- The NGFW endpoint automatically sends traffic to the Cloud NGFW resource for inspection.
- If traffic is allowed, the NGFW resource sends the traffic back to the endpoint.
- The firewall subnet route table forwards all the traffic to the NAT gateway.
- The NAT gateway forwards the traffic to the destination through the IGW.