Firewall Network Service

The simplest, highest performance, best scale-out architecture for next generation firewalls in the cloud.


As enterprises move to the cloud, security teams want to add in-line firewalling as a service to their cloud architecture. Services like IDS/IPS, layer 7 (application layer) filtering and threat detection, traditionally used by data center security teams, have become key requirements for enterprise cloud architects.

The Aviatrix Firewall Network Service allows you to bring your current firewall solution to the cloud and easily integrate with native cloud networking constructs. This Aviatrix service supports next-generation firewalls for inspection of all, or specified, traffic flows: on-premise to/from Cloud, Egress to Internet, Ingress from Internet and VPC to VPC/VNET traffic.

Learn more about Palo Alto Networks and Aviatrix Firewall Network Service here.

The Aviatrix Firewall Network Service architecture is different from the traditional cloud firewall architecture.


Traditionally, cloud firewall deployments require IPSec tunnels (and/or ECMP) to route traffic from VPCs to these appliances. This increases the complexity of deploying and managing the firewalls and forces trade-offs in performance, scale and visibility.

Aviatrix Firewall Network Service decouples networking functions and security functions. There is no IPSec tunnels between the cloud resources, such as AWS Transit Gateway (TGW), and firewall instances, simplifying deployment, maximizing performance and allowing, the best scale possible.

Aviatrix’s Firewall Network Service provides a next generation architecture for deploying enterprise firewall security in public clouds.

Advantages include:

  • Simplicity. Leveraging the Aviatrix intelligent orchestration and control service, the Firewall Network Service eliminates complex cloud networking challenges.
  • Maximize performance. The Firewall Network architecture eliminates the performance burden imposed by IPSec tunnels on firewall instances. As a result, each firewall instance can perform at maximum throughput.
  • Maximize Scale: Leveraging an active-active failover architecture, Aviatrix gateways deliver load balancing, without requiring source NAT (SNAT), maintaining full lost when using native constructs.
  • Built-in High Availability: The Aviatrix Controller manages HA failover for firewalls by monitoring the health of the instance connections. When an issue is detected, the controller reprograms both Aviatrix gateways and cloud infrastructure route entries to bypass the impacted instance connections.

How does Aviatrix Firewall Network Service compare to virtual firewall-only implementations?


Cloud Firewall Requirements Aviatrix Firewall Network Service Native vFirewall
Lower TCO with maximum performance from firewall instances Yes No
Built-in, supported High Availability (HA) Yes No
Scale-out firewall instances with stateful load balancing Yes No
Inspect on-prem to cloud traffic. (without source NATing traffic) Yes No
Cloud network automation to avoid errors Yes No. Requires engineers to hand-build networking and maintain it using manual route updates.
Auditing for out of band policy changes Yes No
Troubleshooting and network visualization tools Yes No
Inspect East-west traffic Yes Yes
Centralized internet egress  traffic Yes Yes
Centralized internet ingress firewalling Yes Yes