Securing The Public Cloud Edge with A Virtual Security Appliance

By Adam Mark August 23, 2022
Why Use a Virtual Appliance?

Security is top of mind for many companies who have begun moving their infrastructure to the cloud. While cloud providers offer multiple mechanisms for securing cloud infrastructure, there are many reasons why a customer may want to rely on the existing firewall technologies used in the traditional private infrastructure. The most common reason a company may want to use traditional firewall technology is simply their comfort level with the product. Additionally, some companies will have regulatory and compliance requirements, which require the use of a particular product or feature.

In this article, I will review several different solutions for integrating virtual firewall appliances into the AWS public cloud. While we will be focusing on AWS in this scenario, virtual firewall appliances are by no means an “AWS only” feature. Most public cloud providers offer an option for securing the edge with a third party virtual appliance.  


There are several different topologies in which a virtual security appliance can be deployed. We will look at four common architectures: Single VPC, Security VPC, Transit Gateway with Security VPC and ELB sandwich.

Single VPC

In the single VPC topology, the virtual security appliance is deployed within the same VPC as the instances which are being secured, and the firewall is configured as the next hop (gateway) for all traffic. This is the simplest method; however, it is not scalable in that it can not be used to secure other VPCs.  

Security VPC

The Security VPC looks to solve the scalability problem by placing the security appliances in their own (transit) VPC. In this topology, traffic from multiple VPCs can be inspected by directing northbound traffic to the Security VPC where the security appliances are deployed. One drawback to the Security VPC topology is the VPC to Security VPC connectivity is achieved using AWS Site-to-Site VPN, which has a throughput limitation of 1.25 Gbp/s. For environments with greater throughput requirements, the Transit Gateway architecture is recommended.

Transit Gateway with Security VPC

In the Security VPC topology, VPN was used to interconnect the source VPC with the Security VPC. The Transit Gateway solution builds upon the Security VPC solution by adding a Transit Gateway in between the source VPC and the Security VPC. The AWS Transit Gateway has a maximum throughput capacity of 50 Gbp/s per Availability Zone. Therefore, using a transit gateway increases your throughput capabilities from 1.25 Gbp/s to 50 Gbp/s.

ELB Sandwich

ELB stands for Elastic Load Balancer. This architecture focuses on inbound traffic inspection for public services, such as a web server. With ELB sandwich, a set of public and private ELBs “sandwich” a set of virtual security appliances. The public ELB receives request from the Internet and forwards traffic on to the security appliances for inspection. After inspection, the security appliance forwards the request on to an internal VIP on the private ELB, which then load balances requests between the internal web servers. This solution is highly scalable and works well with an Auto Scaling group of security appliances.


As we have seen, there are multiple options for securing your public cloud environment with traditional firewall appliances deployed as virtual machines. Several architectures are available to suit the needs of different environments. These appliances have flexible purchasing models such as BYOL (bring your own license) and pay-as-you-go.

ivision is equipped with the expertise and experience to help you make the best decision for your business needs. Learn more about our public cloud capabilities here or fill out your information below to get started today!