You must deploy the firewalls, license the firewalls as appropriate, configure the network interfaces, and create policies that limit application and data traffic flows as appropriate for each server and application.
In this use case, each Availability Zone has four VM-Series firewalls:
Mgmt-FW—A firewall that secures inbound and outbound traffic necessary for managing and updating the infrastructure. It secures all inbound and outbound management traffic to and from the EC2 instances and services in the VPC, including database engine updates, SSH and HTTPS access to the EC2 instances and services, and SNMP. See Launch the VM-Series Firewalls and the NetScaler VPX and Configure the VM-Series Firewall for Securing Outbound Access from the VPC AZ1-FW1 and AZ1-FW2 —A pair of firewalls that manage traffic from the NetScaler VPX to the web farm. In the event that a firewall fails, the load balancer uses service monitors to detect the failure and redirect traffic through the other firewall. See Launch the VM-Series Firewalls and the NetScaler VPX and Configure the Firewalls that Secure the Web Farm AZ1-DB—A firewall to segment the web farm from the Relational Database Service (RDS). This architecture allows you to add a layer of security and isolate the database service and limit the exposure of front-end servers to risks and threats. See Launch the VM-Series Firewalls and the NetScaler VPX and Configure the Firewall that Secures the RDS.

Related Documentation