Cloud NGFW for AWS Centralized Deployments
Table of Contents
Cloud NGFW for AWS Centralized Deployments
In a centralized deployment, your Cloud NGFW components
are deployed in a centralized security VPC. Traffic must always
pass through an AWS Transit Gateway (TGW), which acts as a network
hub and simplifies the connectivity between VPCs, as well as, on-premises
networks.
For additional examples of centralized deployments, see Cloud NGFW for AWS Deployment
Architectures.
Centralized East-West
- Traffic from the source instance is sent to the TGW ENI.
- The TGW ENI directs traffic to the TGW.
- The TGW routes traffic to security VPC TGW ENI.
- The TGW ENI sends traffic to NGFW endpoint and on to the NGFW for inspection.
- If the traffic is allowed, the NGFW sends traffic back to the NGFW endpoint. The traffic is then sent back to the TGW through the security VPC TGW endpoint.
- The TGW forwards the traffic to the TGW ENI in the destination VPC.
- Then the TGW ENI sends the traffic to the destination.
![]()
Centralized Outbound
- Traffic from the source instance is sent to the TGW ENI and on to the TGW.
- The TGW routes the traffic to the security VPC TGW ENI.
- The TGW ENI sends the traffic to the NGFW endpoint and on to the NGFW for inspection.
- If the traffic is allowed, the NGFW endpoint routes traffic to the NAT gateway.
- The NAT gateway forwards the traffic to the IGW and on to the destination.
![]()
Centralized Inbound
- Traffic from the internet arrives at the internet gateway.
- The internet gateway routes traffic to the application load balancer (ALB).
- The ALB then sends traffic to the ingress VPC TGW ENI.
- The TGW ENI sends traffic to the TGW.
- The TGW routes traffic to the security VPC TGW ENI.
- The TGW ENI sends traffic to NGFW endpoint and on to the NGFW for inspection.
- If the traffic is allowed, the NGFW endpoint sends the traffic to TGW.
- The TGW then routes the traffic to the protected VPC TGW ENI and then on to the destination.
![]()
