AWS Network Firewall for multi-account setups: Unified security policy

Multi-account setups (prod, staging, dev) need unified security rules. Don't repeat firewall rules in every account. Centralize.

Pattern: Inspection VPC

Create an "inspection" VPC in a security account. Deploy Network Firewall there.

Route traffic from all other accounts through the inspection VPC.

Transit Gateway connects everything. All traffic flows through one firewall.

Benefits

Single rule set for all accounts.

Consistent security posture.

Easier auditing (one place to check).

Centralized logging.

Setup

1. Create inspection VPC with Network Firewall.
2. Create Transit Gateway in Organizations.
3. Attach all accounts to Transit Gateway.
4. Route internet-bound traffic through inspection VPC.
5. Monitor firewall logs.

Costs

Network Firewall: £0.60/hour + £0.40 per million bytes.

Transit Gateway: one per region, £0.05/attachment/hour.

At scale, centralized is cheaper than per-account firewalls.

Where Critical Cloud comes in

Multi-account firewall setups are complex. Testing rules across accounts is harder. We verify rules work as intended across all accounts.

See how Critical Support works.