By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Network Firewall

0

Do we need network firewall provisioned at each vpc OR one network firewall deployed to inspection firewall can manage all vpc's/subnets/ingress/egress traffic??

Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
rePost-User-1980452
asked 3 years ago1.1K views
4 Answers
1

Hello,

Deployment models for AWS Network Firewall

There are multiple deployment models available with AWS Network Firewall. The right model depends on the use case and requirements. The following models are most common:

  • Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.

  • Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic.

  • Combined AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized inspection VPC for East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic. Internet ingress is distributed to VPCs which require dedicated inbound access from the internet and AWS Network Firewall is deployed accordingly.

Recommend going through this Blog that explains each of those deployment models, towards the end of the blog you will see Deployment model comparison table.

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

profile pictureAWS
EXPERT
Tushar_J
answered 3 years ago
0

So the AWS Network firewall service itself has to be deployed in a subnet/AZ level within a given VPC/Region. So you could have multiple AWS network firewalls in various VPCs, subnets, and Regions. The exact implementation depends on your network architecture and desired overall result.

However, you can also use AWS Firewall Manager (another separate service) which can help you "manage" all these network firewalls as stated here: "AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts." Note however that AWS Firewall Manager needs an AWS Organization first before using it.

Reference: https://aws.amazon.com/network-firewall/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

Hope this answers your question

ZadusPlace
answered 3 years ago
0

if really depends on your network architecture,

if you are a distributed design, meaning you have multiple internet gateway, then yes, you will need firewall for each VPC if you are a centralize design, meaning you have only one internet gateway, then you can deploy one firewall for all vpc, routing all the traffic by using transit gateway routing and firewall endpoints

here is a link that you can do lab with, it come with cloudformation. https://github.com/aws-samples/aws-networkfirewall-cfn-templates

junjie-aws
answered a year ago
0

You can deploy a centralized inspection VPC with a Network Firewall and route East/West traffic from other VPCs through the inspection VPC/Network Firewall.

Mutiu
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content