Network Firewall

Hello,

Deployment models for AWS Network Firewall

There are multiple deployment models available with AWS Network Firewall. The right model depends on the use case and requirements. The following models are most common:

• Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.

• Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic.

• Combined AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized inspection VPC for East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic. Internet ingress is distributed to VPCs which require dedicated inbound access from the internet and AWS Network Firewall is deployed accordingly.

Recommend going through this Blog that explains each of those deployment models, towards the end of the blog you will see Deployment model comparison table.

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

if really depends on your network architecture,

if you are a distributed design, meaning you have multiple internet gateway, then yes, you will need firewall for each VPC if you are a centralize design, meaning you have only one internet gateway, then you can deploy one firewall for all vpc, routing all the traffic by using transit gateway routing and firewall endpoints

here is a link that you can do lab with, it come with cloudformation. https://github.com/aws-samples/aws-networkfirewall-cfn-templates

You can deploy a centralized inspection VPC with a Network Firewall and route East/West traffic from other VPCs through the inspection VPC/Network Firewall.