As enterprises move to the cloud, security teams want to add in-line firewalling as a service to their cloud architecture. Services like IDS/IPS, layer 7 (application layer) filtering and threat detection, traditionally used by data center security teams, have become key requirements for enterprise cloud architects.
The Aviatrix Firewall Network Service allows you to bring your current firewall solution to the cloud and easily integrate with native cloud networking constructs. This Aviatrix service supports next-generation firewalls for inspection of all, or specified, traffic flows: on-premise to/from Cloud, Egress to Internet, Ingress from Internet and VPC to VPC/VNET traffic.
Learn more about Palo Alto Networks and Aviatrix Firewall Network Service here.
Traditionally, cloud firewall deployments require IPSec tunnels (and/or ECMP) to route traffic from VPCs to these appliances. This increases the complexity of deploying and managing the firewalls and forces trade-offs in performance, scale and visibility.
Aviatrix Firewall Network Service decouples networking functions and security functions. There is no IPSec tunnels between the cloud resources, such as AWS Transit Gateway (TGW), and firewall instances, simplifying deployment, maximizing performance and allowing, the best scale possible.
Aviatrix’s Firewall Network Service provides a next generation architecture for deploying enterprise firewall security in public clouds.
Advantages include:
Cloud Firewall Requirements | Aviatrix Firewall Network Service | Native vFirewall |
---|---|---|
Lower TCO with maximum performance from firewall instances | Yes | No |
Built-in, supported High Availability (HA) | Yes | No |
Scale-out firewall instances with stateful load balancing | Yes | No |
Inspect on-prem to cloud traffic. (without source NATing traffic) | Yes | No |
Cloud network automation to avoid errors | Yes | No. Requires engineers to hand-build networking and maintain it using manual route updates. |
Auditing for out of band policy changes | Yes | No |
Troubleshooting and network visualization tools | Yes | No |
Inspect East-west traffic | Yes | Yes |
Centralized internet egress traffic | Yes | Yes |
Centralized internet ingress firewalling | Yes | Yes |