AWS Network Firewall + Network Load Balancer Architecture Question

Question

We are implementing a custom web application in AWS that we hope will be well designed, reliable and secure, while also staying within a limited budget. Ideally the architecture we implement would provide a solid foundation on which we can build and grow in the future, or at least give us some experience with an architecture that we can evolve into in the future.

Key items to note:

• We are only deploying in one Region for now. That could change in 2025, but for now we are sticking with one.
• There is an RDS database also in this architecture but it is not included in the diagram.
• We want to implement a centralized AWS Web Application Network Firewall to inspect traffic.
• Network Load Balancing is our preferred solution to ensure encrypted traffic all the way to the EC2 instance.
• The reason for the load balancer is to support traffic, but also maintenance and upgrades. Regarding our traffic, the number of requests is around 50K to 100K per week, but the returned results are large data tables.
• When a user makes a request our application must have the ability to make an outbound API call to another system to obtain additional data for that user. I'm not exactly sure how to make this work in a load balanced environment, but I understand it has something to do with a NAT Gateway.

Below is a simplified diagram of what we are thinking. We would appreciate any feedback that could be provided, especially around these questions.

1. From testing we know that it is not possible to make an outbound API call from an EC2 instance without that instance having a public IP address, either by assigning the EC2 instance a public IP address (bad idea) or having some type of NAT functionality. Question is, does the Network Firewall provide the NAT functionality or would we need a separate NAT Gateway?
2. When we implement the Network Firewall it looks like TLS is offloaded in the firewall. If so, how do we maintain encryption in transit all the way to the EC2 instances?
3. If what we are proposing is just a really bad idea, please point us in the direction of an alternative architecture that would better serve what we are trying to accomplish.

Happy to answer questions. Thanks in advance for your help!

mb87

Answer 1

1. Network Firewall doesn’t have a NAT option as of now. It will need to rely on the EC2’s own mapped Public IP or a NAT Gateway to get that to facilitate internet bound communication

2. “TLS Inspection” (Not “offloading”) on Network Firewall is an optional feature and is expected to be used when you are hosting a TLS service. Eg: You are hosting a web application and the certificate (and Private Key) is added to ACM. For egress access you can do similar check but you will need to add a private CA to ACM and then your EC2 also need to trust this CA. If it is not a strict requirement, I would recommend to avoid this and stick to domain/SNI based rules instead.

3. You could just make it a simple flat setup where the ingress/Egress flow is as below:

Client Access: Client –[Internet]--> IGW > Network FW > NLB > Targets [EC2]

API Calls from EC2: EC2 > NAT GW > Network FW > IGW >--[Internet]--> Servers

You will need to have respective rules to cover both direction flow.

The setup will be as in the AWS document and one of the deployment explained there Link