1 Answer
- Newest
- Most votes
- Most comments
2
It depends on what you want the firewalls to do. I'm opinionated about this topic (and you can hear my opinions in the AWS Podcast) - I think that firewalls should definitely not be "front line" - they should be somewhere behind the load balancers and perhaps even behind the workloads.
In general (and this is not a dig at Fortinet who make excellent products) firewalls are expensive and don't scale as quickly as traffic patterns (particularly during a DDoS) require. So using the cloud-native components (such as CloudFront and WAF) is better; and then put the firewalls "later" in the network path to do what they are best at - looking for specific and detailed attack vectors.
Relevant content
- asked 7 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 9 months ago
Thanks for your answer. We're going for Fortinet FWs to use their SD-WAN feature, allowing us to hook our AWS environment into our on-prem network. Agree with your analysis that a DDoS could potentially cripple this connectivity
Security Groups are a good way of protecting the firewalls - you can restrict ports/protocols and IP addresses. That's kind of the opposite of what SD-WAN is intended to do; but if you are building out a network where you know the SD-WAN endpoints it means that only the traffic from those endpoints will reach the firewalls.
Intresting point Brett on the scaling. All AWS examples for NGFW are usually being a GWLB and in front of the ALB. Im going to listen to your postcast you have supplied in the link..