One of the primary challenges that cloud customers face is ensuring enterprise grade security between their AWS Organisation’s Virtual Private Clouds (VPCs) and external networks.
A common approach to enhance the security within the customers AWS landing zone is to implement a centralised firewall to control and inspect network traffic flows.
One way to strengthen security is by using a hub-and-spoke architecture whereby the solution integrates easily with other cloud native resources – a great example of this is AWS Transit Gateway. This design routes all VPC traffic through the centralised firewall for inspection, offering better control and visibility across the environment.
“At BBD, we specialise in building secure, scalable cloud environments using Infrastructure as Code (IaC),” says Warren Gurney, AWS solutions architect at BBD Cloud Solutions. “Our approach ensures fast, repeatable deployments using pre-built Terraform modules.”
Clayton York, also an AWS Solutions Architect at BBD, adds: “We’ve successfully implemented a range of firewall solutions for enterprise clients using our proven Terraform IaC templates.”
These templates allow for quick provisioning of landing zones that support:
• AWS Network Firewall
• FortiGate Firewalls
• FortiWeb Web Application Firewalls (WAFs)
In this article, Gurney and York – both certified AWS Solutions Architect Professionals and AWS Network Specialists – explore how to choose the right firewall for your environment and how BBD Cloud Solutions can support your security journey.
Key considerations when choosing a firewall solution
When selecting a firewall solution for your AWS environment, it’s important to weigh a few key factors to ensure the right fit for your business:
- Architectural familiarity: Choose a solution aligned with the skills and preferences of your existing teams
- Centralised vs decentralised models: Centralised architectures simplify management and policy enforcement. They also tend to be more cost-effective and easier to monitor at scale.
- Cost implications: Be conscious of costs, including infrastructure costs, data transfer charges, and licensing / subscription fees
Recommended firewall options:
Choosing the right firewall solution depends on your organisation’s architecture, security requirements, and team expertise. Here’s a quick comparison of the most common choices:
1. AWS Network Firewall
For organisations looking to stay entirely within the AWS ecosystem, AWS Network Firewall offers a fully managed, scalable solution that integrates seamlessly into Infrastructure as Code (IaC) workflows.
2. FortiGate Firewall by Fortinet
Deployed in an Active/Standby configuration, FortiGate is a robust, enterprise-grade solution that brings familiar security features and flexibility to AWS environments.
3. Ingress Web Application Firewall (WAF)
For protecting web-facing applications, two key options exist depending on your team’s preferences and the desired level of control.
- AWS Application Load Balancer + AWS WAF
- AWS Network Load Balancer + FortiWeb
| Solution | Pros | Cons | Best for |
| AWS Network Firewall | – Fully managed by AWS (no patching/maintenance) – Auto-scales with demand – High availability across AZs – IaC code with Terraform and Git – Built-in IPS/IDS with Suricata rules |
– Endpoints are expensive and are provisioned per AZ – High data transfer charges |
Teams looking for cloud-native, scalable firewalls tightly integrated with AWS and IaC workflows |
| Fortigate Firewall (Active / Standby) | – Familiar to security teams – Supports ingress, egress, east/west, and VPN – No AWS data-transfer fees – High availability with failover – IPS/IDS features built-in |
– Expensive licensing and subscriptions however Fortiflex Licensing offers more cost-effective options – No auto-scaling however supports manual vertical scaling – Requires ongoing manual patching and maintenance |
Organisations with Fortinet expertise seeking full-featured enterprise firewalls with granular control |
| AWS ALB + AWS WAF | – Fully managed by AWS – Auto-scales automatically – No license costs – Integrated with AWS ecosystem |
– Less familiar interface and rule management for traditional security teams | Cost-conscious teams wanting a simple, effective web application firewall managed entirely by AWS (Security automations for AWS WAF) |
| AWS NLB + FortiWeb WAF | – Familiar Fortinet interface for security teams – Advanced WAF features – HA load balancing across AZs, however vertical scaling if required |
– Requires FortiWeb licence
– No autoscaling |
Teams needing strong web app protection with existing Fortinet investments or preferences |
BBD’s Cloud Solutions team offers enterprise-grade security implementations tailored to your specific architecture and business requirements. Using our battle-tested Terraform modules, we enable rapid provisioning, automated deployments, and full integration into your existing CI/CD pipelines.
Whether you’re migrating workloads, scaling operations, or fortifying your cloud infrastructure – we’ve got you covered with secure, scalable firewall solutions designed for AWS.
