Firewall Network Design Patterns¶
1. Hybrid with TGW¶
FireNet supports AWS Transit Gateway (TGW), as shown below.
2. Hybrid with Insane Mode¶
FireNet supports AWS Transit (TGW) with Insane Mode,
3. Native TGW integration¶
In the Release 4.6, the hybrid deployment can be using native AWS Direct Connect Gateway.
4. Multi Region Transit with Native TGW integration¶
Connect to on-prem with AWS DXGW and use Aviatrix Edge gateway to connect to multiple regions.
5. Multi-Region Transit with Aviatrix Edge¶
Connect to on-prem with an Aviatrix Edge gateway for both hybrid and multi-regions.
6. Two Firewall Networks¶
You can deploy two Firewall Networks, one dedicated for VPC-to-VPC traffic inspection and another for egress inspection.
Note you must follow the configuration sequence below:
- Disable the Traffic Inspection of the FireNet domain intended for Egress control.
- Enable Egress Control for FireNet domain intended for Egress control.
- Build connection policies.
7. Ingress Traffic Inspection¶
Follow the Ingress firewall instructions to deploy the solution for Ingress traffic inspection.
8. Aviatrix FQDN in FireNet for Egress Control¶
When Aviatrix FQDN gateway is deployed in a VPC, it uses a public IP address to perform both whitelisting and NAT function for Internet bound traffic. Sometimes these Internet bound traffic are partner API calls and these partners require to limit the number of IP addresses for each customer of theirs. In such situation, you can deploy FQDN in a centralized manner as shown in the diagram below.
9. Ingress Directly through Firewall¶
Another often configured Ingress Egress design pattern is to have the traffic forward to firewall instances directly as shown in the diagram below. In this design pattern, each firewall instance must configure SNAT on its LAN interface that connects to the Aviatrix FireNet gateway. The draw back of this design is source IP address is not preserved when traffic reaches the application. If you need to preserve source IP address, refer to this recommended design for Ingress.
For more information, follow the FireNet workflow.
10. Central Egress in a Multi-Region Deployment¶
Since the default routes are propagated over the Aviatrix Transit Gateway peering, you can consolidate the Internet bound egress traffic to the firewalls in one region, as shown in the diagram below.
11. Distributed Egress in a Multi Region Deployment¶
If you need to have a distributed egress for each region, make sure you filter out the default route 0.0.0.0/0 when you build the Aviatrix Transit Gateway peering, as shown in the diagram below.
12. Ingress Protection via Aviatrix Transit FireNet¶
This Ingress Protection design pattern is to have the traffic forward to firewall instances directly in Aviatrix Transit FireNet VPC as shown in the diagram below. In this design pattern, each firewall instance must configure (1) SNAT on its LAN interface that connects to the Aviatrix FireNet gateway and (2) DNAT to the IP of application server/load balancer. The draw back of this design is source IP address is not preserved when traffic reaches the application.
For an example configuration workflow, check out Ingress Protection via Aviatrix Transit FireNet with Fortigate.