Network Firewall

Hello,

Deployment models for AWS Network Firewall

There are multiple deployment models available with AWS Network Firewall. The right model depends on the use case and requirements. The following models are most common:

• Distributed AWS Network Firewall deployment model: AWS Network Firewall is deployed into each individual VPC.

• Centralized AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized VPC for East-West (VPC-to-VPC) and/or North-South (internet egress and ingress, on-premises) traffic.

• Combined AWS Network Firewall deployment model: AWS Network Firewall is deployed into centralized inspection VPC for East-West (VPC-to-VPC) and subset of North-South (On Premises/Egress) traffic. Internet ingress is distributed to VPCs which require dedicated inbound access from the internet and AWS Network Firewall is deployed accordingly.

Recommend going through this Blog that explains each of those deployment models, towards the end of the blog you will see Deployment model comparison table.

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

So the AWS Network firewall service itself has to be deployed in a subnet/AZ level within a given VPC/Region. So you could have multiple AWS network firewalls in various VPCs, subnets, and Regions. The exact implementation depends on your network architecture and desired overall result.

However, you can also use AWS Firewall Manager (another separate service) which can help you "manage" all these network firewalls as stated here: "AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts." Note however that AWS Firewall Manager needs an AWS Organization first before using it.

Reference: https://aws.amazon.com/network-firewall/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

Hope this answers your question

if really depends on your network architecture,

if you are a distributed design, meaning you have multiple internet gateway, then yes, you will need firewall for each VPC if you are a centralize design, meaning you have only one internet gateway, then you can deploy one firewall for all vpc, routing all the traffic by using transit gateway routing and firewall endpoints

here is a link that you can do lab with, it come with cloudformation. https://github.com/aws-samples/aws-networkfirewall-cfn-templates