By using AWS re:Post, you agree to the AWS re:Post Terms of Use

IGW->NAT->NFW vs IGW->NFW->NAT

0

Hi all

I'm planning to create a centralized ingress/egress VPC in the Network account. I need to inspect the traffic using Network Firewall. I think the following structures are possible:

  1. IGW - NAT - Network Firewall as in https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-nat-gateway-with-firewall.html
  2. IGW - Network Firewall - NAT as in https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-igw-ngw.html

I believe those both of them are doable architectures, but is there any pros and cons, or any best practice suggestions?

Thanks.

2 Answers
1

The re:Post Agent answer is good here but this particular question can lead to many different answers.

Personally (so, opinion) I'm not a fan of centralised ingress. It can easily lead to a lot of shared fate (including administrative blast radius and potential noise neighbour effects from traffic) so tread carefully. As a design pattern it works but there are sharp edges. That said, the alternative (distributed ingress) is far more scalable but requires significantly more maturity in operating across multiple accounts and having tools (which AWS provides) for centrally managing resources in those accounts.

Centralised egress is relatively easy and is what most customers do.

For a relatively in-depth discussion on this, take a list to this AWS Podcast episode where I talk to Simon Elisha about this exact question.

profile pictureAWS
EXPERT
answered 24 days ago
profile picture
EXPERT
reviewed 23 days ago
0
Accepted Answer

Both architectures you mentioned are indeed viable options for implementing a centralized ingress/egress VPC with AWS Network Firewall (ANF) inspection. Each approach has its own considerations:

  1. IGW -> NAT -> Network Firewall: This setup allows for NAT translation before traffic inspection. It can be beneficial if you need to perform NAT operations before applying firewall rules. However, this means that the firewall will see the translated IP addresses, which might affect your ability to create certain types of rules based on original source IPs.

  2. IGW -> Network Firewall -> NAT: This architecture inspects traffic before NAT translation occurs. It allows the firewall to see and filter based on original source IP addresses, which can be advantageous for more granular control. However, it means that NAT operations happen after inspection, which might impact how you structure your firewall rules if they need to account for post-NAT addressing.

In terms of best practices:

  1. Consider your specific security requirements. If you need to filter based on original source IPs, the IGW -> Network Firewall -> NAT approach might be more suitable.

  2. Think about scalability. Both approaches can be scaled, but you may need to adjust your architecture based on expected traffic volumes.

  3. Use AWS Firewall Manager to simplify deployment and management of AWS Network Firewall across multiple accounts if you're working in a multi-account environment.

  4. Consider using a multi-zone architecture for high availability, where each Availability Zone has its own firewall subnet and customer subnet.

  5. Properly configure route tables to ensure traffic flows through the Network Firewall as intended.

  6. If you're handling a lot of inbound traffic, you might want to consider using load balancers (ALB or NLB) in conjunction with your firewall setup.

Ultimately, the choice between these two architectures depends on your specific use case, security requirements, and how you want to structure your firewall rules. Both can be effective when implemented correctly.
Sources
AWS Network Firewall - Amazon EC2 Overview and Networking Introduction for Telecom Companies
Architecture with an internet gateway and a NAT gateway using AWS Network Firewall - AWS Network Firewall
Multi zone architecture with an internet gateway using AWS Network Firewall - AWS Network Firewall
Using the AWS Network Firewall for centralized ingress - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

profile picture
answered 24 days ago
profile picture
EXPERT
reviewed 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions