- Newest
- Most votes
- Most comments
Funnily enough, I was reviewing that kind of setup today. Please take a look at https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/
The deployment model: 2) North-South: Centralized on-premises egress & ingress via Transit Gateway and Transit VIF/Direct Connect gateway/AWS Site-to-Site VPN seems to be what you are looking for.
This way all traffic from On Prem VIA DX will use the TGW Route table 0.0.0.0/0 to send all traffic via an inspection VPC. After passing through AWS or 3rd Party firewall, the traffic is passed back to TGW to route to the correct VPCs etc
Are you considering using Gateway Load Balancer in your architecture? This will simplify the architecture and routing design for your inspection VPC.
You can also check this blog which discusses Hybrid Inspection Architecture which can apply to both Gateway Load Balancer and AWS Firewall: https://aws.amazon.com/blogs/apn/centralized-traffic-inspection-with-gateway-load-balancer-on-aws/
If you are considering deploying gateway load balancer endpoints using Geneve protocol, you can review this Gateway Load Balancer Workshop which deploys Palo Alto in an inspection VPC: https://catalog.us-east-1.prod.workshops.aws/workshops/ae291640-10fe-4c0b-982f-9b9a61dbad26/en-US
Thank you for your response Amer! Yes, we are indeed considering using Gateway Load Balancer in our architecture to achieve high availability for the firewall. This approach seems promising in simplifying our routing design. I appreciate the links you provided, The Gateway Load Balancer Workshop deploying Palo Alto in an inspection VPC looks interesting. I'll definitely take a closer look at it to see how it aligns with our requirements. If you have any more insights or tips related to our setup, please feel free to share. Thanks again!
Relevant content
- asked 10 months ago
- AWS OFFICIALUpdated 15 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
Thank you for your response Gary! I will take a look at the link and get back to you incase of any questions. Thanks again.