Skip to main content

Aviatrix FireNet / AWS Transit Gateway Native Deployment Comparison

There are two native deployments: TGW VPN to connect to firewall or TGW VPC attachment to connect to firewall. The three different deployment models are illustrated in the diagram below. Diagram comparing three firewall deployment models If an AWS Transit Gateway connects to a firewall by using its built in VPN function, it must run IPsec and BGP. If you run more than one firewall instance using ECMP, each firewall instance must configure SNAT function to ensure that both source and destination-initiated traffic lands on the same firewall instance. Furthermore, since native deployment requires an IPsec VPN which limits its performance to 1Gbps, in this scenario a single firewall instance can only perform at 500Mbps since the VPN function is traversed twice. A more detailed functional comparison is described in the table below.
Firewall Deployment FunctionsFirewall in VPN deployment *Firewall in VPC/VNet attachment *Firewall in Aviatrix FireNet
On-prem to VPC/VNet traffic inspectionYesYesYes
VPC/VNet to VPC/VNet traffic inspectionYes (requires SNAT)YesYes
Egress traffic inspectionYesYesYes
Per firewall performance500MbpsUp to 6GbpsUp to 6Gbps
Total FireNet performance> 500MbpsUp to 6Gbpsup to 75Gbps
Multiple firewalls (scale out)YesNo (Active/Standby)Yes
Integrated solutionYesNo (requires external script)Yes
Solution complexityHighMediumLow
Centrally managedYesNo (requires external script)Yes
Multi-vendor supportYesYesYes
* Native AWS Transit Gateway deployment.