For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network using AWS backbone. AWS Network Firewall deployed in a centralized model covers the following use cases:
As described in Figure 1: Centralized Architecture, we create:
Inspection VPC for East-West (inter-vpc) traffic inspection. Inspection VPC consists of two subnets in each AZs:
Egress VPC for egressing to Internet. Egress VPC consists of 2 subnets in each AZs:
Two Spoke VPCs - Spoke VPC A and Spoke VPC B. Spoke VPCs resources are configured only single AZ.
Each Transit Gateway subnet in Inspection VPC requires a dedicated VPC route table to ensure the traffic is forwarded to firewall endpoint within the same AZ. These route tables have a default route (0.0.0.0/0) pointing towards firewall endpoint in the same AZ.
This is a Multi AZ configuration. Resources in Inpsection VPC and Egress VPC are provisioned across two AZs.
Figure 1: Centralized Architecture
To learn more about how you can deploy AWS Network Firewall for various use cases - Click here.
Click next to explore different components and deploy resources using AWS CloudFormation.