May 21, 2020

Forcepoint NGFW with Amazon VPC Ingress Routing

Jonathan Knepher

At AWS re:Invent 2019, Amazon announced the launch of the new Ingress Routing feature to their Amazon VPC service. Recently, we rolled out VPC Ingress routing for Forcepoint customers who use AWS to support workloads in a hybrid environment. This integration allows Forcepoint NGFW customers to simplify their AWS network security implementation.

A key advantage of cloud services like AWS: the ability to quickly allocate compute resources as needed to support new workloads and projects.  However, with increased flexibility often comes increased risk.  In this instance, there is risk that a user could create a new EC2 instance within a given VPC that is directly accessible from the internet, potentially exposing sensitive data or internal applications to unauthorized users.

What Amazon VPC Ingress Routing Does

Amazon VPC Ingress Routing simplifies the integration of network security appliances with a customer’s Amazon Virtual Private Cloud (VPC) infrastructure, making it simpler for customers to apply security policies uniformly across the entirety of their enterprise network – both on prem and in the cloud. 

 This integration also simplifies deployment for running Forcepoint’s NGFW inline to protect customer workloads running on AWS, providing additional flexibility to customers as they adapt their network security architectures to employ more cloud resources.

Simplifying Policy Enforcement On-Prem and in the Cloud

A common challenge for customers operating in a hybrid network environment is replication and enforcement of on-premises security policies to workloads being hosting in the cloud. The old way to manage this was inherently complex. In order for customers to ensure security policies were being uniformly mirrored across both on premise and cloud environments, previously the only option available was to reroute any traffic destined to their VPC back to the corporate network where it could be inspected by their on premise appliance and then rerouted back to its ultimate destination.  The obvious challenges to this approach being the complexity in design and the added network latency, which often results in a poor customer experience.

VPC Ingress Routing integration with Forcepoint NGFW provides our customers a better option. Forcepoint NGFW integration with VPC ingress routing allows customers the flexibility to treat any traffic destined to Amazon Virtual Private Cloud receives the same level of scrutiny, using the same trusted security products, that it would when accessing the corporate network.



With the addition of the Ingress Routing feature to the Amazon VPC service, customers can now enforce network security policies uniformly across their entire enterprise network, without additional complexity and latency.  With this new feature, a VPC can be configured to send all traffic destined to any subnet within the VPC to a specific EC2 instance running a Forcepoint NGFW virtual appliance where traffic can be inspected, and policies applied, prior to reaching its final destination.


Here are the steps to set up a Forcepoint NGFW with Amazon AWS VPC Ingress Routing to protect your workloads:

  • Deploy Forcepoint NGFW from the AWS Marketplace 

Note: The NGFW must be in a separate subnet from the workloads

  • Configure rules in NGFW to allow your desired traffic, using the Forcepoint SMC
  • Create a route table for the internet gateway; 

Create routes for the workload subnets with the target of the Forcepoint NGFW’s ENI

  • Create a route table for the Forcepoint NGFW

- Use a local route for the internal workload networks

- Create a default route with a target of the internet gateway

  • Setup the route table for the internal workload network(s)

- Create a default route with a target of the Forcepoint NGFW’s ENI

  • Confirm in NGFW Logging that traffic is appropriately flowing through NGFW

This configuration allows for other Layer 3 Forcepoint NGFW implementations, such as IPS and advanced detection capabilities.  The unique design of the Forcepoint SMC allows for consolidated policy management of all firewalls across the enterprise, which assures conventional on-premise policies get applied throughout the AWS cloud infrastructure. 


Forcepoint customers can now simplify their network security architecture in AWS with Amazon VPC Ingress Routing. This added functionality to Amazon’s VPC service allows inline deployment of Forcepoint NGFW appliances in their cloud environment, greatly simplifying the application of network security policies to AWS workloads without introducing unwanted latency and complexity.

 Forcepoint NGFW’s software-based solution is uniquely designed to deliver maximum security with minimum cost and complexity. The Forcepoint NGFW Security Management Center (SMC) is a unified platform which provides unmatched visibility, control and consistent policy enforcement to ensure regulatory compliance in physical infrastructure as well as virtual and cloud environments.

Amazon VPC Ingress Routing is available in all AWS commercial and AWS GovCloud (US) Regions at no additional charge. For more information on how Forcepoint can help you protect your AWS workloads, visit our Cloud Security Solutions for Amazon Web Services page or contact your Forcepoint Account Manager.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.

Jonathan Knepher

Jonathan Knepher is a member of Forcepoint’s Innovation Labs, and is responsible for providing innovation with Forcepoint’s technology alliance partners.  He spends his days by combining Forcepoint’s unique human and data centric security technologies with other leading security and technology...

Read more articles by Jonathan Knepher