Implementing a Secure Transit DMZ Architecture with Next-Gen Firewalls

By Josh Hammer
Partner Solutions Architect, Amazon Web Services
October 16, 2018

Co-Author: Karthik Balachandran, Cloud System Engineer, Aviatrix

Security is one of the most important aspects of any customer’s successful AWS implementation. Customers want to maintain similar security and compliance postures in their AWS environments as they have on-premises. Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

In a VPC there are also security groups that act as a virtual firewall for your instance to control inbound and outbound traffic to the instances within a VPC.  Customers can leverage security groups to create isolation of VPCs to separate their different environments, tiers, and applications.  However those isolated VPCs need to be able to access other VPCs, the internet, or the customer’s on-premises environment. One AWS-recommended way to accomplish this is with a Transit VPC.

AWS has long referred customers to Aviatrix as an option for Global Transit VPC solutions through their AWS Answers articles. Since then Aviatrix has implemented hundreds of transit architecture solutions to simplify enterprise cloud connectivity.

Securing a Transit VPC and its traffic follows a similar to pattern used for securing an on-premises network.  One common component of that architecture is the use of a firewall. Firewalls allow customers to monitor network traffic and are complementary to the AWS security features. The firewalls provide the following security services for traffic they are monitoring:

  • Intrusion Detection System (IDS) / Intrusion Preventions Systems (IPS) is a network security technology originally built for detecting vulnerability exploits against a target application or computer. (IPS) extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies
  • URL Filtering limits access by comparing web traffic against a database to prevent users from accessing unproductive, harmful sites such as phishing pages.
  • Malware Detection the use of systems to detect transmission of malware over a network or use of malware on a network
  • Application Visibility provides visibility into application usage, along with capabilities to understand and control their use.

The Transit DMZ Architecture integrates a firewall into the transit hub of a Transit VPC. Allowing the firewall to monitor and secure traffic between VPCs, to the internet, ingressing and egressing from on-premises.

Transit DMZ Architecture Diagram

On a high level, the Transit VPC from Aviatrix provides a high performance and autoscaled architecture that can support up to 10Gbps per tunnel.  It centralizes provisioning and visualization, while avoiding legacy networks protocols in the cloud.  Incorporating a firewall into the Aviatrix Transit VPC allows firewalls to monitor and secure the traffic between VPCs, VPC to the internet, and on-premises to the VPCs. Aviatrix’s Cloud-Defined networking enables automated provisioning and management of this complex routing requirement.

This separation of duties gives organizations the agility to make technology decisions across CloudOps, Networking, and Security functions without affecting each other. The firewall functions are independent from the software defined routing components. Thus allowing organizations to implement different security policies and features for different dataflows.

Highly Available Architecture

The Transit DMZ Architecture has DMZ subnets with access to an AWS Internet Gateway (IGW) that allows the firewall and cloud routers to access the internet. As the diagram above shows, from the bottom up, datacenter connectivity into AWS lands in the Transit VPC through an AWS Virtual Gateway (VGW). This VGW is called the “Land-VGW”.

The “Land-VGW” is connected to a pair of firewalls that allows the traffic to and from the datacenter to be inspected and filtered. The firewalls connect to a VGW on the other side (called the “Transit-VGW”) that connects into a pair of Aviatrix Transit Gateways. The Aviatrix Transit Gateways then connect to all the Aviatrix Spoke Gateways in the VPCs.

This connectivity pattern allows for security and monitoring of all the the above mentioned traffic patterns. It also enables high availability and failover if any of the instances were to fail. The firewall is highly available with the multi-instances and using BGP for failover. Aviatrix Gateways are also highly available with a pair of Gateways in the hub and the spokes. Both these components can be across AWS Availability Zones for cross-AZ failover. Since the VGWs that connect to these instances are natively highly-available, you have a Transit DMZ Architecture that does not have a single point of failure.

Now, let’s look at each traffic flow pattern.

On-premises to AWS traffic flow

VPC initiated internet traffic flow

Inspect and filter VPC to VPC traffic


The Transit DMZ Architecture provides customers with a scalable, customizable pattern to define their cloud security posture in a similar fashion to their on-premises posture. The key benefits of this architecture are:

  1. Threat detection and mediation for traffic between VPCs, to the internet, ingressing and egressing from on-premises.
  2. Highly available and scalable Transit VPC architecture
  3. Separate networking and security functions
  4. Network-as-Code and Security-as-code.

For more information on this architecture and best practices, please reach out to


Comments are closed for this post.

Latest Posts

Aviatrix Now Provides FIPS 140-2 Validated Encryption
By Sam Ghardashem, June 14, 2019

How Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway
By Sam Ghardashem, June 7, 2019

How to Use Aviatrix SD Cloud Routing to Build Azure Networks
By Karthik Balachandran, March 20, 2019

The Cloud in 2019 and Beyond: More of the Same, Only Better
By Steven Mih, December 6, 2018

Understanding AWS VPC Egress Filtering Methods
By Khash Nakhostin, November 14, 2018

Top Tags

Active Directory (AD)Amazon Partner Network (APN)Amazon Virtual Private Cloud (Amazon VPC)Amazon Web Services (AWS)Amazon WorkSpacesApplication VisibilityAviatrix Cloud InterconnectAviatrix ControllerAviatrix FireNetAviatrix Firewall Network ServiceAviatrix FlightPathAviatrix Hosted ServiceAWS Direct ConnectAWS Egress ControlAWS Transit Gateway (TGW)AWS VPNAzure ExpressRouteCasachekChefCiscoCisco Live 2018Cloud Architectscloud burstingCloud ComputingCloud Gatewaycloud governanceCloud MigrationCloud NetworkingCloudOpsCSRDevOpsEgress TrafficElon MuskEnterprise Strategy Group (ESG)FIPS 140-2GartnerGCP Next 16Google Cloud PlatformHub-and-Spoke NetworkHybrid CloudHyperFlex Multi-Cloud EcosystemInternational Data Corporation (IDC)Intrusion Detection System (IDS)Intrusion Preventions Systems (IPS)IPmotionJenkinsMalware DetectionMesh NetworkMicrosoft AzureMulticloudNetworking as a Servicenetworking infrastructureNext Generation Firewalls (NGFW)NiciraNoOpsNutanixNutanix CalmOpenVPN Access ServerPalo Alto NetworksPCI CompliancePci DssPublic CloudPublic Cloud NetworkingPuppetRemote AccessSafeLogicSD Cloud RouterSD-WANSoftware Defined Cloud RoutingSoftware-Defined Cloud RoutersSquidSSL VPN to AWSstorage and computeTransit DMZ Architecturetransit networkTransit VPCURL FilteringUse Casesvalidated encryptionVirtual Cloud NetworkVirtual Desktop Infrastructure (VDI)Virtual RoutersVMwareVNet ConnectivityVPCVPC PeeringVPN