Skip to main content

Cloud NGFW for AWS

You can discover Cloud NGFW in the AWS Marketplace and consume it in your AWS Virtual Private Clouds (VPC). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based on URL categories and geolocations, SSL/TLS Decryption, etc.

Getting Started with Cloud NGFW

  • Subscribe to the Cloud NGFW Service—Begin by subscribing to the Cloud NGFW for AWS service through the AWS Marketplace. After subscribing, you can create a Cloud NGFW Tenant. The subscribing AWS IAM user is the Tenant Administrator (TenantAdmin), which allows that user to invite additional users and assign roles. You must add your AWS account to the Cloud NGFW tenant. Adding your account grants the necessary permissions needed by Cloud NGFW to store logs, create NGFW endpoints, and access the keys needed for decryption.

  • Create Rulestacks—After adding users and assigning roles in the Cloud NGFW tenant console, Local Rulestack Admins can author local rules and rulestacks.

  • Create NGFWs—Deploy NGFW firewall resources to protect your VPCs. While creating your NGFWs, associate the local rulestacks you created previously.

    You have two options to create Cloud NGFW endpoints. In the first (service managed) option, you create a dedicated subnet in your VPC for each desired AWS availability zone, then specify those subnets when creating Cloud NGFW resources. In this option, Cloud NGFW creates the NGFW endpoints in your subnets. Alternatively, in the second (customer managed) option, you specify the desired AWS availability zones, where you want the NGFW resource to secure the traffic. In this option, Cloud NGFW creates a Cloud NGFW resource only that will manifest as VPC endpoint resources in your AWS account. You are then responsible for creating dedicated subnet in your VPC for each desired AWS availability zone, and create the VPC endpoints as well

  • Update VPC Route Tables—After deploying your Cloud NGFW resource, you must Direct Traffic to Cloud NGFW for AWS by updating your VPC route tables. Traffic is then directed to the NGFW firewall resource for inspection and enforcement.

Managing Cloud NGFW

You can deploy Cloud NGFW in your AWS environment in multiple ways:

  • Cloud NGFW console is a graphical user interface that provides a way to add and manage users and roles, configure your Cloud NGFW deployments, and define rulestacks and rules to protect your application VPCs.
  • AWS Firewall Manager console can deploy Cloud NGFW across multiple AWS accounts in a AWS Organization. The Firewall Manager deploys Cloud NGFW components including creation of the AWS marketplace subscription, management of the Cloud NGFW tenant, creation of NGFWs, and NGFW endpoints in your VPCs. The FMS console redirects you to the Cloud NGFW tenant to author rules for your global rulestack.

For a description for the Cloud NGFW for AWS APIs, see the API Reference.

To begin using Terraform to manage your Cloud NGFW for AWS, see the Getting Started guide.

See Cloud NGFW for AWS Documentation for more information.