* [Blog](https://www2.paloaltonetworks.com/blog)
* [Network Security](https://www2.paloaltonetworks.com/blog/network-security/)
* [Hybrid Cloud Data Center](https://www2.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/)
* New: More Cloud NGFW Scal...

# New: More Cloud NGFW Scalability Across Multiple AWS VPCs

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fcloud-ngfw-across-multiple-aws-vpcs%2F)  
[](https://twitter.com/share?text=New%3A+More+Cloud+NGFW+Scalability+Across+Multiple+AWS+VPCs&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fcloud-ngfw-across-multiple-aws-vpcs%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fcloud-ngfw-across-multiple-aws-vpcs%2F&title=New%3A+More+Cloud+NGFW+Scalability+Across+Multiple+AWS+VPCs&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/network-security/cloud-ngfw-across-multiple-aws-vpcs/&ts=markdown)  
\[\](mailto:?subject=New: More Cloud NGFW Scalability Across Multiple AWS VPCs)  
Link copied  
By [Vijay Arumugam Kannan](https://www.paloaltonetworks.com/blog/author/vijay-arumugam-kannan/?ts=markdown "Posts by Vijay Arumugam Kannan")  
Dec 19, 2022  
5 minutes  
[Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown)  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Advanced URL Filtering](https://www.paloaltonetworks.com/blog/tag/advanced-url-filtering/?ts=markdown)  
[App-ID](https://www.paloaltonetworks.com/blog/tag/app-id/?ts=markdown)  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[Cloud NGFW](https://www.paloaltonetworks.com/blog/tag/cloud-ngfw/?ts=markdown)  
[DevOps](https://www.paloaltonetworks.com/blog/tag/devops/?ts=markdown)  
[Multi VPC](https://www.paloaltonetworks.com/blog/tag/multi-vpc/?ts=markdown)  
[network architects](https://www.paloaltonetworks.com/blog/tag/network-architects/?ts=markdown)  
[threat prevention](https://www.paloaltonetworks.com/blog/tag/threat-prevention/?ts=markdown)  
[VPC](https://www.paloaltonetworks.com/blog/tag/vpc/?ts=markdown)

We are excited to announce the availability of the [Multi-VPC Cloud NGFW for AWS resource](https://live.paloaltonetworks.com/t5/cloud-ngfw-videos/multi-vpc-cloud-ngfw-resource/ta-p/523967), the managed firewall that provides best-in class Palo Alto Networks security with AWS cloud native ease of use. By introducing this exciting feature, we're introducing the ability to massively scale security by allowing you to share the same Cloud NGFW resource across multiple virtual private clouds (VPCs) in your AWS accounts.

### **Cloud NGFW for AWS Keeps Expanding to Meet Your Needs**

First, some context: Over the years, Palo Alto Networks customers have used VM-Series Next-Generation Virtual Firewalls to protect their VPCs, which are virtual networks closely resembling traditional networks in data centers. These virtual firewalls provide best-in-class security with Layer 7 application controls, real-time signatures and URL categories updates, and ML-powered threat prevention. Our customers have always asked us whether we can make our best-in-class security as easy to consume as other AWS-native services. They were looking for a cloud-native experience for network security and wanted to avoid managing the deployment and security infrastructure and integrating it deeply with the AWS ecosystem.

We listened and [launched Cloud NGFW for AWS](https://www.paloaltonetworks.com/blog/2022/03/next-generation-firewall-service-for-aws/) back in March 2022. Cloud NGFW for AWS is a Next-Generation Firewall (NGFW) service on the AWS platform that is managed by Palo Alto Networks. It handles the delivery of next-generation security and its underlying infrastructure in a fully automated manner.

Since the [inception of Cloud NGFW for AWS](https://live.paloaltonetworks.com/t5/blogs/how-native-is-cloud-ngfw-for-aws/ba-p/476736) in March 2022, Palo Alto Networks has prioritized feedback from customers for driving product improvements. In response to customers like you who preferred AWS Marketplace procurement models to try and buy SaaS products, we enabled [Cloud NGFW Free Trials](https://www.paloaltonetworks.com/blog/2022/05/cloud-ngfw-free-trial-native-service/fw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws/cloud-ngfw-free-trial) and [Cloud NGFW SaaS Contract Credits](https://www.paloaltonetworks.com/blog/2022/08/aws-now-easier-to-get-worldwide/). We also expanded the service to [18 AWS regions](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws/supported-regions-and-zones).

### **Dedicated Cloud NGFW Resources**

A Cloud NGFW resource provides NGFW capabilities for your VPC. This resource has built-in resiliency, scalability and lifecycle management. A NGFW resource spans multiple AWS availability zones, which are distinct locations within an AWS Region, engineered to be isolated from failures in other Availability Zones. They provide inexpensive, low-latency network connectivity to other Availability Zones in the same AWS Region.

Under the hood, a NGFW resource is a gateway load balancer-based [VPC endpoint service](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoint-services-gwlbe.html). To use a NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone. You then create NGFW endpoints (also known as Gateway Load Balancer endpoints) on the subnets and update the VPC route tables to send traffic through these endpoints.

Until now, you created the Cloud NGFW resource and dedicated it to a single VPC in your AWS environment. You could use the Cloud NGFW resource by creating NGFW endpoints in that VPC. This dedicated resource would be sufficient if you use Cloud NGFW resources in a centralized deployment.

In the centralized architecture model, a dedicated security VPC provides a simplified and central approach to managing advanced access control, and threat inspection of traffic using an [**AWS Transit Gateway**](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-instances-and-endpoints/direct-traffic-to-cloud-ngfw-for-aws/cloud-ngfw-for-aws-centralized-deployments) for all applications in the spoke VPCs. You would then configure route rules in the application VPCs and the transit gateway to redirect traffic to the security VPC for inspection. However, your deployment may require a [**hybrid architecture model**](https://www.paloaltonetworks.com/resources/guides/intelligent-architectures-aws-reference-architecture)\*\*,\*\*where the spoke VPCs can use the centralized VPC for east-west inspection. This model also allows distributing the inspection points (NGFW resources) on each application VPC that needs protection for its Internet Ingress/Egress traffic. However, you would incur hourly costs for each NGFW resource in your deployment, which you might want to avoid.
![Announcing the Multi-VPC Cloud NGFW resource in Cloud NGFW for AWS, which allows you to share the same resource across multiple virtual private clouds (VPCs).](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/12/word-image-48.png)
Figure 1: Current single VPC NGFW resources in combined deployment architectures may force customers to incur additional costs for securing multiple VPCs.

### **Multi-VPC NGFW Resources Change the Game**

All that said, we heard your total cost of ownership (TCO) concerns about dedicating Cloud NGFW resources to VPCs and are excited to announce the general availability of the Multi-VPC NGFW resource. With this feature, you can create endpoints for an NGFW resource in different VPCs and route traffic to the NGFW resource for inspection.
![Announcing the Multi-VPC Cloud NGFW resource in Cloud NGFW for AWS, which allows you to share the same resource across multiple virtual private clouds (VPCs).](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/12/word-image-49.png)
Figure 2: Multi NGFW VPC resources simplify your hybrid architecture model in a cost-effective manner.

What's more, you can have these VPCs in different AWS accounts with these significant operational benefits:

* **Deployment flexibility**: Now you can share Cloud NGFW resources across multiple VPCs in different AWS accounts.
* **Scalable connectivity**: Create up to 50 Cloud NGFW endpoints (also known as Gateway Load Balancer endpoints) across different VPCs and send traffic through these endpoints for NGFW inspection.
* \*\*Cost effectiveness:\*\*Reduce the number of NGFW resources needed to protect your AWS environment and consolidate your overall network security posture. There is no additional cost to share Cloud NGFW resources across multiple VPCs. You pay AWS directly for the Cloud NGFW endpoints (Gateway Load Balancer endpoints) that you would use to send traffic to the NGFW resource ($0.01/hr and $0.0035/GB).

This feature is now available in all [Cloud NGFW for AWS supported AWS regions](https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws/supported-regions-and-zones) to help you realize these benefits in your AWS environment. You can also look at this brief [demo video](https://www.youtube.com/watch?v=_07vyV0NduE). To learn more, sign up for a 15-day [free trial](https://aws.amazon.com/marketplace/pp/prodview-sdwivzp5q76f4?trk=133fe74a-0bf3-4a83-a06f-91696100b8e2&sc_channel=ps&s_kwcid=AL!4422!3!612925914691!p!!g!!ngfw%20for%20aws&ef_id=EAIaIQobChMIpfyBg5f7-wIVOsqUCR3qeQqPEAAYBCAAEgK4bfD_BwE:G:s&s_kwcid=AL!4422!3!612925914691!p!!g!!ngfw%20for%20aws) and visit the[documentation](https://docs.paloaltonetworks.com/cloud-ngfw/aws.html)and [FAQ](https://live.paloaltonetworks.com/t5/cloud-ngfw-articles/cloud-ngfw-for-aws-faq/ta-p/476671) pages. As always, your feedback drives our feature roadmap and product development. Please contact us through your Palo Alto Networks support team if you have additional feedback or Cloud NGFW feature requests.

*** ** * ** ***

## Related Blogs

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### See The Latest Software Firewall Developments at AWS re:Invent 2022](https://www2.paloaltonetworks.com/blog/network-security/software-firewalls-at-aws-reinvent/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### Your Hybrid Cloud Is Under Attack: Explore Zero Trust at Our Event](https://www2.paloaltonetworks.com/blog/network-security/your-hybrid-cloud-under-attack-zero-trust/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Save the Date: Dive Into Cloud NGFW With Palo Alto Networks and AWS](https://www2.paloaltonetworks.com/blog/2022/04/cloud-ngfw-with-aws/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Interactive Pricing Estimator Makes Cloud NGFW for AWS Even Easier](https://www2.paloaltonetworks.com/blog/network-security/interactive-pricing-cloud-ngfw-for-aws/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### CN-Series Container NGFWs Now on Red Hat OpenShift Platform OperatorHub](https://www2.paloaltonetworks.com/blog/network-security/cn-series-red-hat-openshift-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Virtual Firewall ROI --- US Signal and Guest from Forrester Explain](https://www2.paloaltonetworks.com/blog/2022/07/virtual-firewall-roi/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language