A combined deployment model uses a combination of cross-account NGFW endpoints with hub
and spoke VPC connectivity. The hub of the topology, or transit gateway, represents the
central point of connectivity between VPCs for east-west and outbound traffic security.
In this deployment, cross-account VPCs provide the inbound traffic security.
Ingress/Egress Traffic Inspection
Traffic initiated from an internet client and destined to the public IP of the
application load balancer arrives at the internet gateway (IGW). the IGW
forwards the traffic to the application load balancer (ALB).
Per the ALB subnet, any traffic going to the target group (workloads on EC2) is
forwarded to the NGFW endpoint.
The endpoint transparently sends the traffic to the firewall resource for
inspection.
If the traffic is allowed, the firewall resource sends the traffic back to the
endpoint after inspection.
Per the firewall subnet route table, traffic is forwarded to the workload
servers:
Traffic from a workload running in Spoke VPC A is destined for the
internet.
The Transit Gateway (TGW) spoke route table forwards all the traffic to
the centralized security VPC.
The TGW subnet route table of the security VPC attachment sends all the
traffic to the NGFW endpoint.
The NGFW endpoint automatically sends traffic to the Cloud NGFW resource
for inspection.
If traffic is allowed, the NGFW resource sends the traffic back to the
endpoint.
The firewall subnet route table forwards all the traffic to the NAT
gateway.
The NAT gateway forwards the traffic to the destination through the
IGW.
