About This Architecture

Next-gen firewall architecture separating control and data planes across AWS availability zones, with OPNsense EC2 handling IDS/IPS and OpenVPN, Squid Proxy managing web filtering, and Kong API Gateway orchestrating tenant access. Control plane runs EKS with React frontend, API backend, and DPI controller service managing ACL policies and VPN provisioning. Data plane processes traffic through Internet Gateway, AWS WAF, and NAT Gateway while maintaining tenant isolation via RDS PostgreSQL and Secrets Manager. Fork this diagram to customize security policies, add multi-region failover, or integrate additional threat intelligence feeds. The architecture demonstrates defense-in-depth with Cloudflare CDN/WAF upstream, AWS WAF at ingress, and stateful inspection at the firewall layer.

People also ask

How do you architect a next-generation firewall with separated control and data planes on AWS?

This diagram shows a production architecture using OPNsense EC2 for IDS/IPS and OpenVPN, Squid Proxy for web filtering, and an EKS-based control plane managing policies and tenant provisioning. Traffic flows through Cloudflare CDN/WAF, AWS WAF, Kong API Gateway, then to the firewall data plane, with RDS PostgreSQL and Secrets Manager securing tenant configurations and credentials.