Centralized Deployment Model

For centralized deployment model, AWS Transit Gateway is a prerequisite. AWS Transit Gateway acts as a network hub and simplifies the connectivity between VPCs as well as on-premises networks. AWS Transit Gateway also provides inter-region peering capabilities to other Transit Gateways to establish a global network using AWS backbone. AWS Network Firewall deployed in a centralized model covers the following use cases:

  • East-West traffic filtering e.g. Inter-VPC inspection
  • North-South traffic inspection/filtering e.g. Internet traffic filtering

As described in Figure 1: Centralized Architecture, we create:

  • Inspection VPC for East-West (inter-vpc) traffic inspection. Inspection VPC consists of two subnets in each AZs:

    • Transit Gateway subnet for Transit Gateway attchment.
    • Firewall subnet for firewall endpoint.
  • Egress VPC for egressing to Internet. Egress VPC consists of 2 subnets in each AZs:

    • Transit Gateway subnet for Transit Gateway attchment.
    • Public subnet for NAT Gateway.
  • Two Spoke VPCs - Spoke VPC A and Spoke VPC B. Spoke VPCs resources are configured only single AZ.

Each Transit Gateway subnet in Inspection VPC requires a dedicated VPC route table to ensure the traffic is forwarded to firewall endpoint within the same AZ. These route tables have a default route (0.0.0.0/0) pointing towards firewall endpoint in the same AZ.

This is a Multi AZ configuration. Resources in Inpsection VPC and Egress VPC are provisioned across two AZs.

Architecture diagram

Centralized Architecture

Figure 1: Centralized Architecture

To learn more about how you can deploy AWS Network Firewall for various use cases - Click here.

Click next to explore different components and deploy resources using AWS CloudFormation.