- Newest
- Most votes
- Most comments
First, this architecture won't work because you can't present a Network Firewall endpoint publicly. You must have something that has an Elastic IP attached to it (so in this case, probably Application Load Balancer) and then direct the traffic to Network Firewall.
Second, I wouldn't recommend this architecture. Given the features available in APi Gateway (in terms of pulling inbound requests apart; checking them for validity; and acting as an ingress point for all requests) and that you can attach WAF to API Gateway I would question the value of adding a firewall to the mix. In short, I think there are better ways of doing this although I totally understand that customers are often comfortable with the approach of "but this is the way we've always done it".
If it were me, I'd use API Gateway and (maybe) WAF to go with it - because it provides a high level of security for a low level of complexity.
Given the complexity of this design and the customer requirements I'd strongly recommend that you get in touch with your local AWS Solutions Architect to discuss the best way forward. Not trying to avoid a conversation here - more that this is something much easier accomplished interactively rather than in this particular format.
Relevant content
- asked 3 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks very much for your response. Appreciate your comments that this may not be the best architecture, but it may be the only architecture I can get through a traditional security team. The Organisation also has a hard requirement for IPS, which may involve using a 3rd party IPS device i.e. a Firewall with IPS as the front door and removing the AWS Firewall from the architecture. With this in mind, if I place a 3rd party Firewall/IPS device inline, remove the AWS Firewall, would the architecture be viable? I will also use the company channels to initiate a conversation with an AWS architect interactively.
Yes, you can place a third-party IPS/Firewall device as the primary, Internet-facing device - but then that leads to scaling issues; single point of failure problems. You could put a load balancer (again: ALB) in front of the IPS/Firewall appliance and while that is better it's still not a great solution. There are other ways to do this but (as you've pointed out) they are difficult to propose to customers who are still thinking traditionally.