AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/architecture.md

Summary

Updated image paths, fixed internal links, standardized product naming (e.g., 'Network Firewall' to 'AWS Network Firewall'), improved formatting with italics for section references, and corrected minor spacing issues.

Security assessment

Changes are primarily cosmetic and structural (image path updates, link corrections, formatting). No vulnerabilities, security incidents, or weaknesses are addressed. The core security concepts (firewall inspection, traffic vetting) remain unchanged.

Diff

diff --git a/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/architecture.md b/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/architecture.md
index 6071fd811..b3fb18ee3 100644
--- a//prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/architecture.md
+++ b//prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/architecture.md
@@ -5 +5 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Migrating perimeter zone applications to the AWS Cloud using Network Firewall](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Migrating perimeter zone applications to the AWS Cloud using AWS Network Firewall](introduction.html)
@@ -15 +15 @@ In many organizations, internet-facing applications are "walled off" in a perime
-![Traditional perimeter zone architecture](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/traditional_perimeter_zone_architecture.png)
+![](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/guide-img/e9c77201-9323-4f46-9aa2-8c71588f3ec4/images/80b5b03d-65e4-4ddd-a4d4-9af53bd5fff9.png)
@@ -21 +21 @@ The following diagram shows an example network architecture of a perimeter zone
-![Architecture of a perimeter zone application in the AWS Cloud](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/perimeter_zone_architecture_network_firewall.png)
+![](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/guide-img/e9c77201-9323-4f46-9aa2-8c71588f3ec4/images/b4c5a0aa-4b81-4733-8c89-05e60219c305.png)
@@ -27 +27 @@ In the above network architecture example, the application is protected through
-  * In the public subnet, AWS Network Firewall inspects all the traffic that's routed to the application endpoint (through the Application Load Balancer). To ensure that all the traffic goes through the endpoints of Network Firewall, you must update the routing table, as the diagram shows.
+  * In the public subnet, Network Firewall inspects all the traffic that's routed to the application endpoint (through the Application Load Balancer). To ensure that all the traffic goes through the endpoints of Network Firewall, you must update the routing table, as the diagram shows.
@@ -32 +32 @@ In the above network architecture example, the application is protected through
-We recommend that you route all the egress traffic from the application to AWS Transit Gateway through the network firewall. This helps to vet all the traffic in the account before routing that traffic to the protected network.
+We recommend that you route all the egress traffic from the application to Transit Gateway through the network firewall. This helps to vet all the traffic in the account before routing that traffic to the protected network.
@@ -38 +38 @@ The following diagram shows the data flow of traffic through a perimeter zone ar
-![Data flow of traffic for a perimeter zone architecture based on Network Firewall](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/traffic_data_flow.png)
+![](/images/prescriptive-guidance/latest/migration-perimeter-zone-apps-network-firewall/images/guide-img/e9c77201-9323-4f46-9aa2-8c71588f3ec4/images/52f994a2-42a2-41a8-a3a9-bc5b938fe958.png)
@@ -42 +42 @@ The diagram shows the following workflow:
-  1. Users access your application over the internet through Amazon CloudFront. You can use the default DNS in CloudFront or the DNS supported by [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html).
+  1. Users access your application over the internet through CloudFront. You can use the default DNS in CloudFront or the DNS supported by [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html).
@@ -44 +44 @@ The diagram shows the following workflow:
-  2. Internet gateway routing logic forwards all the incoming requests intended for the Application Load Balancer to Network Firewall over the firewall's network interface through the routing table configuration. This is illustrated by **Route table IGW** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide.
+  2. Internet gateway routing logic forwards all the incoming requests intended for the Application Load Balancer to Network Firewall over the firewall's network interface through the routing table configuration. This is illustrated by **Route table IGW** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide.
@@ -48 +48 @@ The diagram shows the following workflow:
-  4. The incoming traffic that passes the firewall reaches the Application Load Balancer without changes. When the Application Load Balancer responds again, it forwards the requests (based on the routing table logic) to the network firewall. This is illustrated by **Route table endpoint A** and **Route table endpoint B** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide.
+  4. The incoming traffic that passes the firewall reaches the Application Load Balancer without changes. When the Application Load Balancer responds again, it forwards the requests (based on the routing table logic) to the network firewall. This is illustrated by **Route table endpoint A** and **Route table endpoint B** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide.
@@ -59 +59 @@ We recommend that you include the following components in the perimeter zone arc
-  * [Internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) – Use internet gateway to connect your VPC to the internet. Based on the route tables (see **Route table IGW** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide), all the incoming traffic intended for the endpoint subnet (that is, for the load balancer) is routed first to Network Firewall over its elastic network interface. This is illustrated by **eni-id-sec1** and **eni-id-sec2** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide.
+  * [Internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) – Use internet gateway to connect your VPC to the internet. Based on the route tables (see **Route table IGW** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide), all the incoming traffic intended for the endpoint subnet (that is, for the load balancer) is routed first to Network Firewall over its elastic network interface. This is illustrated by **eni-id-sec1** and**eni-id-sec2** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide.
@@ -61 +61 @@ We recommend that you include the following components in the perimeter zone arc
-  * [Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) – Network Firewall is an autoscaling firewall that provides firewalling and monitoring capabilities for ingress and egress traffic. You can attach Network Firewall to your VPC over the Gateway Load Balancer endpoint type. Place the endpoints in a public facing network to allow traffic to and from the internet gateway to be routed to Network Firewall. This is illustrated by **Route table security** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide.
+  * [Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) – Network Firewall is an autoscaling firewall that provides firewalling and monitoring capabilities for ingress and egress traffic. You can attach Network Firewall to your VPC over the Gateway Load Balancer endpoint type. Place the endpoints in a public facing network to allow traffic to and from the internet gateway to be routed to Network Firewall. This is illustrated by **Route table security** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide. 
@@ -63 +63 @@ We recommend that you include the following components in the perimeter zone arc
-  * [Endpoint subnet and Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) – Use an internet-facing Application Load Balancer to make your application accessible over the internet. You must have a protected subnet that's exposed to the internet over Network Firewall only. This routing is defined by the route table configurations. The route table allows only one route with source **0.0.0.0/0** , so you must have two route tables for each subnet and firewall network interface combination. This is illustrated by **Route table endpoint A** and **Route table endpoint B** in the diagram from the Perimeter zone architecture based on Network Firewall section of this guide. To have encryption in transit, you must enable the load balancer with SSL.
+  * [Endpoint subnet and Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) – Use an internet-facing Application Load Balancer to make your application accessible over the internet. You must have a protected subnet that's exposed to the internet over Network Firewall only. This routing is defined by the route table configurations. The route table allows only one route with source **0.0.0.0/0** , so you must have two route tables for each subnet and firewall network interface combination. This is illustrated by **Route table endpoint A** and **Route table endpoint B** in the diagram from the _Perimeter zone architecture based on Network Firewall_ section of this guide. To have encryption in transit, you must enable the load balancer with SSL.