AWS Public Sector Blog
Implementing third-party firewall appliances in AWS: Comparing two methods
Public sector customers face challenges to accomplish complex missions with limited resources. Many IT teams are tasked with implementing centralized network security via third-party firewall appliances; protecting internet access by allowing secure connections to only approved destinations; and scaling security across many Amazon Web Services (AWS) accounts and virtual private clouds (VPCs)—all with reduced management and operational complexity.
At AWS, security is our top priority. With Amazon Virtual Private Cloud (Amazon VPC), customers can control network security using network access control lists (NACL) and security groups (SG). But many customers have requirements beyond the scope of these network security controls, such as deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS). Third-party firewalls can help address these needs.
In this blog post, learn two options for how to manage network security with third-party firewall appliances. In the first method, learn about next generation firewall (NGFW) solutions available to deploy via AWS Firewall Manager as a managed solution. In the second, discover how customers can deploy virtual appliances with Gateway Load Balancer. Using either of these two deployment models can help customers save time and streamline resources, so organizations can spend more time focusing on maintaining safe and secure environments.
Implementing Cloud NGFW for AWS in AWS Firewall Manager
A next generation firewall (NGFW) allows you to add a layer of network-centric capabilities to enhance the security of your cloud environment. NGFWs offer multiple security tools in a single solution that is simple to manage and deploy, adding simplicity, visibility, and operational efficiency to your network security architecture. Learn more about NGFWs.
In 2022, AWS introduced support for Palo Alto Networks Cloud NGFW with AWS Firewall Manager. This lets customers use Firewall Manager to centrally provision and manage NGFW resources and monitor for non-compliant configurations across multiple AWS accounts and VPCs. Cloud NGFW for AWS is offered as a subscription-based model from the AWS Marketplace. With software as a service (SaaS) subscriptions, customers pay for what they use through their AWS bill, which offers a quick and simple way to implement a third-party appliance.
Using Cloud NGFW for AWS with AWS Firewall Manager allows customers to choose the deployment model that works best with their network architecture. Customers can choose between a centralized model, in which one firewall is running in a centralized “inspection” VPC, or a distributed model, in which there are multiple firewalls. The following Figure 1 and Figure 2 depict an architecture diagram for deploying Cloud NGFW for AWS in a centralized model, and deploying Cloud NGFW in a distributed model, respectively.
Figure 1. Centralized model for deploying Cloud NGFW for AWS.
Figure 2. Distributed model for deploying Cloud NGFW for AWS.
Advantages of using Firewall Manager and Cloud NGFW for AWS
By integrating Cloud NGFW for AWS in Firewall Manager, customers don’t have to worry about the nuances of managing their firewall instances. Because it is a managed service, customers can get up and running in minutes with only a couple of clicks. The firewall appliance spans across multiple Availability Zones to support high availability. As this is a managed service, AWS performs the undifferentiated heavy lifting, such as updating, patching, and maintenance. Lastly, there are other integration capabilities with AWS native service like Firewall Manager, as well as log delivery to Amazon Simple Storage Service (Amazon S3), Amazon CloudWatch logs, or the Amazon Kinesis Data Firehose delivery system.
If you choose to deploy Cloud NGFW for AWS in a distributed model, Firewall Manager creates the NGFW endpoints in the specified subnets and manages the rules centrally. This also means having a dedicated firewall appliance for each VPC. Customers don’t need to use a transit gateway to centrally route traffic to a VPC that has the NGFW installed, which saves time and resources in overhead in regards to transit gateway management, and can make billing more convenient.
However, note that both Firewall Manager and Cloud NGFW for AWS are regional services and the Firewall Manager policy is therefore regional. Cloud NGFW for AWS is currently only available in the US East (N. Virginia) and US West (N. California) Regions.
Implementing virtual appliances using Gateway Load Balancer
Another way that customers can integrate third-party firewall appliances is with Gateway Load Balancer, which helps customers more simply deploy, scale, and manage third-party virtual appliances. It provides one gateway for distributing traffic across multiple virtual appliances, while scaling them up or down, based on demand. This decreases potential points of failure in a network and increases availability.
If you have multiple VPCs and accounts, using this solution requires you to configure a VPC to deploy the firewall appliance, configure it behind a Gateway Load Balancer, create a transit gateway, and attach your VPCs to the transit gateway. Learn more about using Amazon Gateway Load Balancer with Transit Gateway for centralized network security.
Advantages of using virtual appliances via Gateway Load Balancer
One of the advantages of using virtual appliances through Gateway Load Balancer is that your firewall appliances can achieve automatic horizontal scaling. If you have multiple instances behind a load balancer and you have Autoscaling enabled, inserting a Gateway Load Balancer firewall appliance will not disrupt your network because firewall appliances are fault tolerant. This may be an appropriate solution for you if you want more flexibility on the deployment with version management. Plus, you can deploy this solution across multiple AWS Regions beyond US East (N. Virginia) and US West (N. California). Additionally this deployment model enables partners to build upon as a service offering and provide a single consolidated bill, including Gateway Load Balancer charges. The following Figure 3 features an architecture diagram for deploying virtual firewall appliances via Gateway Load Balancer.
Figure 3. Deploying model for virtual appliances via Gateway Load Balancer.
Implementing third-party firewalls on AWS deployment model comparison
Use the following table to compare the two methods for integrating a third-party firewall in AWS across the three deployment models: distributed NGFW, centralized NGFW, and with Gateway Load Balancer.
| Distributed NGFW | Centralized NGFW | Gateway Load Balancer Firewall | |
| East-West: VPC to VPC traffic flow | Not supported | Supported | Supported |
| North-South: VPC to Internet traffic flow | Supported | Supported | Supported |
| North-South: VPC to on-prem via VPN or DX traffic flow | Not supported | Supported | Supported |
| Prerequisites | Firewall Manager Cloud NGFW subnets AWS Organizations |
Firewall Manager Transit Gateway |
GWLB VPC Endpoints in each protected VPC; AWS Transit Gateway |
| Centralized management | Through AWS Firewall Manager | Through a single instance of AWS Network Firewall | Through AWS Firewall Manager |
| Source IP visibility | Yes | Yes | Configuration dependent |
| Setup and Maintenance Overhead | Low | Low | Medium |
| Customization | Not Supported | Not Supported | Supported |
| Cost | Per NGFW Endpoint | Per AWS Transit Gateway attachments & AWS NGFW endpoints; AWS Transit Gateway data processing |
Per AWS Transit Gateway attachments & AWS GWLB endpoints (including any additional endpoints per protected VPC); AWS Transit Gateway data processing |
Conclusion
This blog post presented two models for managing third-party firewall appliances in AWS. Deploying third-party firewall appliances with Gateway Load Balancer offers more flexibility in terms of which appliance you choose to deploy. Plus, if you have compliance requirements to customize your firewall appliance, then deploying the firewall appliance through the Gateway Load Balancer may be a more appropriate fit. The centralized management and traffic inspection may benefit large organizations that require additional network security capabilities.
Meanwhile, Cloud NGFW for AWS provides the security for your network traffic with minimal setup, based on the deployment model of your choice (i.e. centralized or distributed). As of the time of this blog post being published Firewall manager only offers Palo Alto Networks and Fortinet in the market place with future integrations on the way. Learn how to get started deploying Cloud NGFW for AWS in your environment.
Read more on the AWS Public Sector Blog:
- Improving the customer experience for high-traffic public services: An architecture guidance
- How US federal agencies can apply TIC 3.0 to AWS workloads
- How government agencies can vet external data in minutes with data interchange zones
- How to implement CNAP for federal and defense customers in AWS
- Reduce mean time to contain (MTTC) on incidents against digital citizen services
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.