Aviatrix FireNet / AWS Transit Gateway Native Deployment Comparison

There are two native deployments: TGW VPN to connect to firewall or TGW VPC attachment to connect to firewall.

The three different deployment models are illustrated in the diagram below.

firewall_deploy

If an AWS Transit Gateway connects to a firewall by using its built in VPN function, it must run IPsec and BGP. If you run more than one firewall instance using ECMP, each firewall instance must configure SNAT function to ensure that both source and destination-initiated traffic lands on the same firewall instance. Furthermore, since native deployment requires an IPsec VPN which limits its performance to 1Gbps, in this scenario a single firewall instance can only perform at 500Mbps since the VPN function is traversed twice.

A more detailed functional comparison is described in the table below.

Firewall Deployment Functions Firewall in VPN deployment *Firewall in VPC/VNet attachment * Firewall in Aviatrix FireNet

On-prem to VPC/VNet traffic inspection

Yes

Yes

Yes

VPC/VNet to VPC/VNet traffic inspection

Yes (requires SNAT)

Yes

Yes

Egress traffic inspection

Yes

Yes

Yes

Per firewall performance

500Mbps

Up to 6Gbps

Up to 6Gbps

Total FireNet performance

> 500Mbps

Up to 6Gbps

up to 75Gbps

Multiple firewalls (scale out)

Yes

No (Active/Standby)

Yes

Integrated solution

Yes

No (requires external script)

Yes

Solution complexity

High

Medium

Low

Centrally managed

Yes

No (requires external script)

Yes

Multi-vendor support

Yes

Yes

Yes