AWS Network Firewall deployment models: Centralized security at scale

AWS Network Firewall is a managed stateful firewall. You define rules. It applies them. Two deployment models: centralized and per-VPC.

Centralized model

One Network Firewall protects all VPCs. Connected via Transit Gateway. Route traffic through the firewall.

Pros: Single rule set, easier management.

Cons: Single point of failure (though AWS provides redundancy), potential bottleneck.

Use when: 10+ VPCs needing consistent security posture.

Per-VPC model

Each VPC gets its own firewall. More isolated, harder to manage.

Pros: No single point of failure, per-VPC customization.

Cons: Rules duplication, harder to enforce consistent policy.

Use when: Few VPCs or VPCs with very different security needs.

Rules

Write rules for allow/deny traffic. Layer 3-4 (IP, ports). Layer 7 (domain, SSL inspection).

Domain filtering prevents access to known malware sites.

Cost

£0.60 per firewall-hour. £0.40 per million processed bytes.

Centralized: one firewall handles all traffic.

Per-VPC: multiple firewalls, higher cost.

Where Critical Cloud comes in

Firewall rules are complex. Testing them is harder. We monitor rule effectiveness. Are you blocking what you intended? Allowing what you meant?

See how Critical Support works.