API Gateway and a FW Appliance will one do all

We are migrating most of our on-prem to AWS, but will have a VPN connection between them. Traditionally we have used fortigate FWs on premise which act as the GW to all traffic from the internet. A lot of our customers connect to APIs and websites we host.

On-prem the APIs use the KONG GW behind the FortiGate's and for the Websites we use a NLB behind the Fortigates.

I'm stuck between the decision of using a API gateway with Cloud Front alone or using a FW appliance in front of the API GW.

The API GW only deals with HTTP & HTTPS traffic, hence for other services we may be putting in AWS I would have thought we would need a FW appliance.

As the AWS account will be dealing with Ingress Internet traffic, we will need traffic inspection which both solutions provide.

We will also be creating multiple VPCs for DEV, ITG and Prod. So I was looking at the GWLB so we could also create a Security VPC with FW Appliances that could serve the different VPCs for Ingress and Egress traffic.

Is it normal to want to use a FW appliance and API GW at the same time. I see no examples on the internet.

I'm aware you can put a WAF device between Cloud Front and the API GW and I'm also aware you can put you API GW behind a FW Appliance in a private subnet.

I just want to follow best practice. Surely an API GW will not do everything for me, what about all the other services/protocols which maybe in use.

The API GW will be needed, but I'm also thinking I will need a FW Appliance.

Regards