AWS Architecture Blog·November 26, 2025Centralized Network Security with AWS Network Firewall for Hybrid Cloud
This article details a centralized network security architecture leveraging AWS Network Firewall and AWS Transit Gateway to secure Amazon Elastic VMware Service (EVS) environments, other VPCs, and on-premises data centers. It outlines how to inspect east-west and north-south traffic flows, providing a single control point for firewall policy, logging, and monitoring across a hybrid cloud setup.
Read original on AWS Architecture BlogThe article presents a robust architecture for securing hybrid cloud environments by centralizing network inspection. It focuses on using AWS Network Firewall as a 'bump-in-the-wire' solution, integrated with AWS Transit Gateway, to provide transparent traffic inspection and filtering. This approach simplifies security management and enhances control by consolidating firewall policies across diverse network segments.
Centralized Inspection Architecture
The proposed architecture utilizes an Amazon EVS VPC, a standard Workload VPC (VPC01), an Egress VPC with NAT gateways for outbound internet access, and an Ingress VPC with Application Load Balancers for inbound traffic. AWS Transit Gateway acts as the central hub connecting all these VPCs and optionally, an on-premises data center via Direct Connect Gateway. This hub-and-spoke model directs all relevant traffic through the AWS Network Firewall for inspection.
Traffic Flow Patterns Inspected
The architecture is designed to inspect both East-West traffic (between EVS VPCs and Workload VPCs, or between Workload VPCs) and North-South traffic (between EVS/Workload VPCs and on-premises, or between EVS/Workload VPCs and the internet).
Key Architectural Components and Benefits
- AWS Network Firewall: Managed IDS/IPS service that scales automatically and provides centralized policy management and traffic inspection.
- AWS Transit Gateway: Centralizes routing between VPCs and on-premises networks, simplifying network topology.
- Dedicated Egress/Ingress VPCs: Isolates internet access points, allowing for centralized security controls for all outbound and inbound internet-bound traffic.
- Single point of control: Simplifies network security management across multiple AWS accounts and on-premises resources.
- Enhanced rule enforcement: Provides consistent security policies across the entire hybrid infrastructure.
- Centralized logging and monitoring: Facilitates easier auditing and incident response by consolidating firewall logs to S3, CloudWatch Logs, or Kinesis Firehose.
The native integration of AWS Network Firewall with AWS Transit Gateway significantly reduces operational overhead. This integration automatically provisions and manages necessary VPC resources like subnets, route tables, and firewall endpoints within the inspection VPC, enabling a streamlined deployment and management experience for complex network security postures.