Next-Gen Firewall - Control and Data Plane AWS

aws · architecture diagram.

Diagrams.so

About This Architecture

Next-gen firewall architecture separating control and data planes across AWS availability zones, with OPNsense EC2 handling IDS/IPS and OpenVPN, Squid Proxy managing web filtering, and Kong API Gateway orchestrating tenant access. Control plane runs EKS with React frontend, API backend, and DPI controller service managing ACL policies and VPN provisioning. Data plane processes traffic through Internet Gateway, AWS WAF, and NAT Gateway while maintaining tenant isolation via RDS PostgreSQL and Secrets Manager. Fork this diagram to customize security policies, add multi-region failover, or integrate additional threat intelligence feeds. The architecture demonstrates defense-in-depth with Cloudflare CDN/WAF upstream, AWS WAF at ingress, and stateful inspection at the firewall layer.

People also ask

How do you architect a next-generation firewall with separated control and data planes on AWS?

This diagram shows a production architecture using OPNsense EC2 for IDS/IPS and OpenVPN, Squid Proxy for web filtering, and an EKS-based control plane managing policies and tenant provisioning. Traffic flows through Cloudflare CDN/WAF, AWS WAF, Kong API Gateway, then to the firewall data plane, with RDS PostgreSQL and Secrets Manager securing tenant configurations and credentials.

Next-Gen Firewall - Control and Data Plane AWS

AWSadvancedsecurityfirewallOPNsenseEKSmulti-tenant
Domain: Cloud AwsAudience: Security architects designing next-generation firewall solutions on AWS
0 views0 favoritesPublic

Created by

March 26, 2026

Updated

March 26, 2026 at 11:02 AM

Type

architecture

Need a custom architecture diagram?

Describe your architecture in plain English and get a production-ready Draw.io diagram in seconds. Works for AWS, Azure, GCP, Kubernetes, and more.

Generate with AI