Securing zero trust access with AWS Verified Access and AWS Network Firewall

This article explains how to architect AWS Verified Access (AVA) with AWS Network Firewall to implement zero trust security for internal applications.

• AVA verifies user identity and device posture before granting access, eliminating traditional VPN broad network access
• Network Firewall provides deep packet inspection for HTTP and non-HTTP protocols with network-level policy enforcement
• HTTP endpoints support ELB and ENI deployment; TCP endpoints require Connectivity Client and don't expose public IPs
• Distributed deployment places firewall in same VPC as AVA and workloads, either after AVA or after ELB
• Centralized deployment uses VPC endpoint association or Transit Gateway for multi-VPC inspection
• AVA performs SNAT, so use X-Forwarded-For header for HTTP to access original client IP
• Third-party firewalls supported via AWS Gateway Load Balancer
• Network Firewall endpoints require dedicated subnets; security group referencing not supported with firewalls

This architecture combines identity-based access control with deep packet inspection to deliver granular, zero trust security without traditional VPN limitations.