Hello,
I am a student who is making its bachelor thesis about comparing Firewalls from 3th party vendors running on the AWS environment. I am making an architecture that I would like to deploy using 2 Sophos XG NGFW in High Availability (Active-Active or Active-Passive) in a dedicated 'Security VPC' where all other 'worker VPC' have to go through to get to the internet. Prior of reaching the internet, all traffic (east-west, north-south) should first go through a Sophos Firewall. In my use case I have put both Firewalls in 1 Availability zone for the reason of suppressing the running cost (I am aware of SPOF of AZ).
I have created an architecture that I believe to work, but I would like to receive input from others to further improve my architecture before implementing.
For all worker VPC's, I use a Transit Gateway to let them go to the Security VPC. For traffic to go to one of the Firewalls, I use a GWLB for a simplified architecture. Also GWLB will automatically check for healthy appliances (targets configured).
Extra question: how would I be able to make the firewalls auto-scalable, like the AWS Network Firewalls works out of the box?
Thanks in advance!
Edited TAGs
[edited by: Raphael Alganes at 1:14 PM (GMT -7) on 20 Mar 2025]
Quote