

# AWS Network Firewall example architectures with routing
<a name="architectures"></a>

This section provides a high-level view of simple architectures that you can configure with AWS Network Firewall and shows example route table configurations for each. For additional information and examples, see [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/). 

**Note**  
For information about managing route tables for your VPC, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon Virtual Private Cloud User Guide*.

**Unsupported architectures**  
The following lists architectures and traffic types that Network Firewall doesn't support:
+ VPC peering.
+ Inspection of AWS Global Accelerator traffic.
+ Inspection of AmazonProvidedDNS traffic for Amazon EC2.

**Topics**
+ [Simple single zone architecture with an internet gateway using AWS Network Firewall](arch-single-zone-igw.md)
+ [Multi zone architecture with an internet gateway using AWS Network Firewall](arch-two-zone-igw.md)
+ [Architecture with an internet gateway and a NAT gateway using AWS Network Firewall](arch-igw-ngw.md)

# Simple single zone architecture with an internet gateway using AWS Network Firewall
<a name="arch-single-zone-igw"></a>

This topic provides a high-level view of a simple VPC configuration using an internet gateway and AWS Network Firewall. It describes the basic route table modifications that are required to use the firewall. 

**Single zone architecture with internet gateway and no firewall**  
The following figure depicts a simple VPC configuration with a single customer subnet, and no firewall. The VPC has an internet gateway for internet access. All incoming and outgoing traffic routes through the internet gateway to the subnet.

![\[An AWS Region is shown with a single Availability Zone. The Region also has an internet gateway, which has arrows out to and in from an internet cloud. Inside the Region, spanning part of the Availability Zone, is a VPC. Inside the VPC is a customer subnet. One arrow shows traffic going between the customer subnet and the internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/no-network-firewall-igw-simple.png)


**Single zone architecture with internet gateway and the Network Firewall firewall**  
The following figure depicts a simple VPC configuration with the firewall and the subnet association in place. The VPC has an internet gateway for internet access. All incoming and outgoing traffic for the VPC routes through the firewall.

![\[An AWS Region is shown with a single Availability Zone. The Region also has an internet gateway, which has arrows out to and in from an internet cloud. Inside the Region, spanning part of the Availability Zone, is a VPC. Inside the VPC is a customer subnet. One arrow shows traffic going between the customer subnet and the firewall subnet. Another arrow shows traffic going between the firewall subnet and the internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/arch-igw-simple.png)


To include the firewall in your Amazon Virtual Private Cloud VPC, you need to modify the VPC route tables so that traffic between the customer subnets and the internet passes through the firewall, for both incoming and outgoing traffic. 

**Note**  
For information about managing route tables for your VPC, see [Route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) in the *Amazon Virtual Private Cloud User Guide*.

**Example route tables in the single zone architecture with no firewall**  
The following figure depicts the route tables that provide the correct flow of traffic for a single Availability Zone without a firewall: 

![\[An AWS Region is shown with a single Availability Zone. The Region has an internet gateway, which has arrows leading out to and in from an internet cloud. Inside the Region, spanning part of the Availability Zone, is a VPC. Inside the Availability Zone, the VPC has a customer subnet. The VPC address range is 10.0.0.0/16. The address range for the customer subnet is 10.0.2.0/24. The route tables are listed for the internet gateway and the subnet. For the customer subnet, the route table directs traffic inside the VPC to local, and directs all other traffic to the internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/no-network-firewall-igw-with-route-tables.png)


In the preceding figure, the route tables enforce the following traffic flows: 
+ **Internet gateway route table** – Routes traffic that's destined for the customer subnet (range `10.0.2.0/24`) to `local`. The customer subnet shows the private IP address range behind the publicly assigned address. The subnet has public addresses assigned, which are either auto-generated or assigned via Elastic IP address. Within a VPC, only private IP addresses are used for communication. 
+ **Customer subnet route table** – Routes traffic that's destined for anywhere inside the VPC (`10.0.0.0/16`) to the local address. Routes traffic that's destined for anywhere else (`0.0.0.0/0`) to the internet gateway (`igw-1232`). 

**Example route tables in the single zone architecture with the firewall**  
The following figure depicts the same installation with the Network Firewall firewall added and the route tables changed to include the firewall. The route tables direct traffic between the customer subnet and the internet gateway through the firewall endpoint: 

![\[An AWS Region is shown with a single Availability Zone. The Region has an internet gateway, which has arrows leading out to and in from an internet cloud. Inside the Region, spanning part of the Availability Zone, is a VPC. Inside the Availability Zone, the VPC has a firewall subnet and a customer subnet. The VPC address range is 10.0.0.0/16. The address range for the customer subnet is 10.0.2.0/24. The route tables are listed for the internet gateway and each of the two subnets. The route table for the internet gateway directs incoming traffic for the customer subnet to its firewall subnet. For the customer subnet, the route table directs traffic inside the VPC to local, and directs all other traffic to the firewall subnet. For the firewall subnet, the route table directs traffic inside the VPC to the local, and directs all other traffic to the internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/arch-igw-with-route-tables.png)


In the preceding figure, the route tables enforce the following traffic flows: 
+ **Internet gateway route table** – Routes traffic that's destined for the customer subnet (range `10.0.2.0/24`) to the firewall subnet (named `vpce-4114` in the figure). The customer subnet shows the private IP address range behind the publicly assigned address. The subnet has public addresses assigned, which are either auto-generated or assigned via Elastic IP address. Within a VPC, only private IP addresses are used for communication. 
+ **Firewall subnet route table** – Routes traffic that's destined for anywhere inside the VPC (`10.0.0.0/16`) to the local address. Routes traffic that's destined for anywhere else (`0.0.0.0/0`) to the internet gateway (`igw-1232`). 
+ **Customer subnet route table** – Routes traffic that's destined for anywhere inside the VPC (`10.0.0.0/16`) to the local address. Routes traffic that's destined for anywhere else (`0.0.0.0/0`) to the firewall subnet (`vpce-4114`). 

  Before the firewall inclusion, the customer subnet route table routed the `0.0.0.0/0` traffic to `igw-1232`.

# Multi zone architecture with an internet gateway using AWS Network Firewall
<a name="arch-two-zone-igw"></a>

This topic provides a high-level view of a simple two zone VPC configuration using an internet gateway and AWS Network Firewall. It describes the basic route table modifications that are required to use the Network Firewall firewall.

**Two zone architecture with internet gateway and the Network Firewall firewall**  
The following figure depicts a Network Firewall configuration for a VPC that spans multiple Availability Zones. In this case, each Availability Zone that the VPC spans has a firewall subnet and a customer subnet. The VPC has an internet gateway for internet access. All incoming traffic for the VPC routes to the firewall in the same Availability Zone as the destination customer subnet. All outgoing traffic routes through the firewalls. 

![\[An AWS Region is shown with a two Availability Zones. The Region also has an internet gateway, which has arrows out to and in from an internet cloud. Inside the Region, spanning parts of each Availability Zone, is a VPC. Inside the VPC, each Availability Zone holds a firewall subnet and a customer subnet. In each zone, one arrow shows traffic going between the customer subnet and the firewall subnet. Each firewall subnet has an arrow between it and the single internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/arch-igw-2az-simple.png)


**Route tables in the two zone architecture with the firewall**  
The following figure depicts a VPC configuration with two Availability Zones. Each zone has its own Network Firewall firewall, which provides monitoring and protection for the subnets in the zone. You can expand this configuration to any number of zones in your VPC.

![\[An AWS Region is shown with two Availability Zones. The Region has an internet gateway, which has arrows leading out to and in from an internet cloud. Inside the Region, and spanning the two Availability Zones, is a VPC. In each Availability Zone, the VPC has a firewall subnet and a customer subnet. The VPC address range is 10.0.0.0/8. The address ranges for the customer subnets are 10.0.0.0/16 and 10.1.0.0/16. The route tables are listed for the internet gateway and for each of the four subnets. The route table for the internet gateway directs incoming traffic for the two customer subnets to their relative firewall subnets. For each customer subnet, the route table directs traffic inside the VPC to local, and directs all other traffic to its relative firewall subnet. For each firewall subnet, the route table directs traffic inside the VPC to local, and directs all other traffic to the internet gateway.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/arch-igw-2az-with-route-tables.png)


In the preceding figure, the route tables enforce similar traffic flows to the single Availability Zone model, with the primary difference being the splitting of incoming traffic by the internet gateway, to accommodate the two different customer subnets: 
+ **Internet gateway route table** – Routes traffic that's destined for each customer subnet (range `10.0.2.0/24` or `10.0.3.0/24`) to the firewall subnet in the same Availability Zone (`vpce-4114` or `vpce-5588`, respectively).
+ **Firewall subnet route tables** – Route traffic that's destined for anywhere inside the VPC (`10.0.0.0/16`) to the local address. Route traffic that's destined for anywhere else (`0.0.0.0/0`) to the internet gateway (`igw-1232`). These are identical to the route table for the firewall subnet in the single Availability Zone. 
+ **Customer subnet route tables** – Route traffic that's destined for anywhere inside the VPC (`10.0.0.0/16`) to the local address. Route traffic that's destined for anywhere else (`0.0.0.0/0`) to the firewall subnet in the same Availability Zone (`vpce-4114` for zone AZ1 and `vpce-5588` for zone AZ2). 

# Architecture with an internet gateway and a NAT gateway using AWS Network Firewall
<a name="arch-igw-ngw"></a>

You can add a network address translation (NAT) gateway to your AWS Network Firewall architecture, for the areas of your VPC where you need NAT capabilities. AWS provides NAT gateways decoupled from your other cloud services, so you can use it in your architecture only where you need it. This can help you reduce load and load costs. For information about NAT gateways, see [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the *Amazon Virtual Private Cloud User Guide*.

The following figure depicts a VPC configuration for Network Firewall with an internet gateway and a NAT gateway. 

![\[VPC configuration showing internet gateway, firewall subnet, NAT gateway subnet, and customer subnet with IP ranges.\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/images/arch-igw-natgw.png)