Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Transit gateway-attached firewalls in Network Firewall

The Amazon Network Firewall integration with Amazon Transit Gateway lets you create and centrally manage firewall protective coverage without needing to provision multiple firewall endpoints.

Firewall owners can attach a Network Firewall directly to a transit gateway as a transit gateway attachment either within their own account or shared from a different account. For more information, see Create a transit gateway-attached firewall.

Key concepts

Review the following concepts before you continue. Note that these definitions are in the context of the Network Firewall integration with Amazon Transit Gateway.

Transit Gateway

A transit gateway works across Amazon accounts, and you can use Amazon RAM to share your transit gateway with other accounts. When a transit gateway is shared, recipients can use it to create a transit gateway attachment.

Transit gateway-attached firewall

A type of transit gateway attachment. When a Network Firewall account owner uses a shared transit gateway to provision a firewall, they bypass the networking configuration required by the standard firewall setup. The firewall a Network Firewall provisions using a shared transit gateway is a transit gateway-attached firewall.

Amazon RAM sharing account

The sharing account contains the resource that is shared. In the context of the Network Firewall integration with Amazon Transit Gateway, the Amazon RAM sharing account that shares the transit gateway is referred to as the transit gateway owner.

Ownership scenarios

Similar to working with firewalls and firewall endpoints created in Network Firewall, different account ownership scenarios impact how you work with a transit gateway-attached firewall.