Choose a deployment option

Network Security is offered as an Amazon Machine Image (AMI). When you decide how to deploy Network Security in your network, we recommend that you choose one of the following deployment options.

Each deployment option is a reference architecture created for different common AWS environments. Choose the option that best suits your existing network structure and inspection needs. These deployment recommendations can also be modified to suit the individual requirements for your network.

Recommended deployment options

The arrows in the images indicate the flow of network traffic through the VPCs and the Network Security instance.

Option 1: Edge protection deployment (recommended): This deployment is designed to protect servers that primarily receive connections from the internet. Deployment checklist.

This deployment option is best suited to environments that require the following:

  • A simple network design that protects web servers.
  • Inspection between the VPC and the Internet as well as between the VPC and a VPN gateway.
  • A single VPC — this deployment option does not require Transit Gateways.
  • Third party appliance integration that follows AWS best practices.

This deployment option does not indicate an IP address for the true source instance when a NAT Gateway is used.

Option 2: Private VPC protection:

This deployment is designed for AWS architectures that primarily send traffic from EC2 instances to the internet. Deployment checklist.

This deployment option is best suited to environments that require the following:

  • Full visibility into source instance and internet destination.

  • A single set of Network Security instances that scale to thousands of workload VPCs and EC2 instances.

  • A slight variation on an AWS best practice architecture.

This deployment option does not inspect inbound connections. Multiple Transit Gateways are recommended to ensure high availability. Learn more.

Option 3: Public and private VPC protection: This deployment is designed to inspect all traffic that originates inside or outside of your network. Traffic is inspected in a services VPC between the Internet Gateway and the Workloads VPCs, which are connected by Transit Gateways. Deployment checklist.

This deployment option is best suited to environments that require the following:

  • Inspection of both inbound and outbound connections.
  • A flexible architecture that can be modified for specific environment needs.
  • A single set of Network Security instances that scale to thousands of workload VPCs and EC2 instances.
  • Security and internet access control with separate VPCs, which can be owned and maintained by separate organizations.

This deployment option requires more network components, like VPCs, subnets, gateways, and route tables, than the other deployment options. Multiple Transit Gateways are recommended to ensure high availability. Learn more.