Cloud Routing for Firewalls

Bring your own firewall to the cloud — Palo Alto Networks, Checkpoint, Fortinet and more.


Enterprises have grown their cloud environment to a degree that Cloud network traffic requires in-line firewalling. There is a growing requirement for inserting services like IDS/IPS, layer 7 (application layer) filtering and malware detection in cloud networks.

Aviatrix Transit DMZ allows you to bring your own trusted firewall solution and easily build out a Cloud Transit DMZ. This Aviatrix solution supports next-generation firewalls for inspection of all traffic flows: on-premise to/from Cloud, Egress to Internet, Ingress from Internet and VPC to VPC/VNET traffic.

Transit DMZ is different from the traditional cloud firewall deployments.


Traditionally, instance based firewall appliances require IPSEC tunnels (or ECMP) to send traffic from VPCs to these appliances. This increases the complexity of managing the firewalls and reduces performances for the security features that you want them to perform.

Transit DMZ decouples networking functions and security functions. There is no IPSEC tunnels between the Aviatrix Transit GW and the firewall appliances, thus simplifying firewall deployment, maximizing firewall appliance performance and allowing them to scale independently.

Aviatrix Next Gen Transit Network provides a DMZ architecture in the public cloud that allows firewall instances to be inserted inline for traffic inspection.

Advantages include:

  • Maximizes firewall performance. This architecture eliminates the performance burden of IPSec tunnels and routing functions on the firewall instances. So, each firewall instance can perform security operations at maximum throughput. Aviatrix transit DMZ also allows you to scale-out your firewall instances.
  • Inspect all traffic flows: The solution allows inspection of all traffic flows: on-premise to and from the Cloud, between cloud networks, internet ingress and internet egress. Get full visibility in your cloud by eliminating need for source NAT (SNAT).
  • Built-in High Availability: Aviatrix Controller manages the HA and failover of firewalls by monitoring the health of the instances. When a failure is detected, the controller reprograms cloud infrastructure route entry to avoid the defective instance.

How does Aviatrix DMZ compare to virtual firewall-only implementation?


Cloud Firewall Requirements Aviatrix Transit DMZ Native vFirewall
Lower TCO with maximum performance from firewall instances Yes No
Built-in, supported High Availability (HA) Yes No
Scale-out firewall instances with stateful load balancing Yes No
Support distributed internet egress filters Yes No
Inspect on-prem to cloud traffic. (without source NATing traffic) Yes No
Cloud network automation to avoid errors Yes No. Requires to hand-build networking and maintaining it using manual route updates
Auditing for out of band policy changes Yes No
Troubleshooting and network visualization tools Yes No
Inspect East-west traffic Yes Yes
Centralized internet egress traffic Yes Yes
Centralized internet ingress firewalling Yes Yes