By using AWS re:Post, you agree to the Terms of Use

Network Firewall

0

Do we need network firewall provisioned at each vpc OR one network firewall deployed to inspection firewall can manage all vpc's/subnets/ingress/egress traffic??

2 Answers
1

Hello,

Deployment models for AWS Network Firewall

There are multiple deployment models available with AWS Network Firewall. The right model depends on the use case and requirements. The following models are most common:

  • Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.

  • Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic.

  • Combined AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized inspection VPC for East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic. Internet ingress is distributed to VPCs which require dedicated inbound access from the internet and AWS Network Firewall is deployed accordingly.

Recommend going through this Blog that explains each of those deployment models, towards the end of the blog you will see Deployment model comparison table.

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

profile picture
answered 4 months ago
0

So the AWS Network firewall service itself has to be deployed in a subnet/AZ level within a given VPC/Region. So you could have multiple AWS network firewalls in various VPCs, subnets, and Regions. The exact implementation depends on your network architecture and desired overall result.

However, you can also use AWS Firewall Manager (another separate service) which can help you "manage" all these network firewalls as stated here: "AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts." Note however that AWS Firewall Manager needs an AWS Organization first before using it.

Reference: https://aws.amazon.com/network-firewall/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

Hope this answers your question

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions