Also read Azure Firewall versus NSGs and GCP Firewall Policies versus VPC Firewall Rules

Traffic Filtering is what Next Gen Firewalls provide (e.g. Palo Alto).

Whether you need Next Gen Firewalls or not is dependent upon your data protection and compliance requirements (read this for in transit data protection and at rest data encryption).

When to use a Next Gen Firewall?

The primary use case is to filter traffic between environments (e.g. a staging and a production environment).

In addition, you may want to also have a centralized firewall management solution (single appliance for  managing multiple VPCs / VNETs).

A potential architecture

A potential architecture may isolate individual workloads using SGs (and/or NACLs) within a VPC - and then Palo Alto to isolate one environment from another. So - in transport between Production and Non Production (and transport can mean something as simple as exporting a disk volume from netapp), a Palo Alto will provide the FW rules and also, optionally, packet level inspection.




Need an experienced Cloud Security Expert?
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.