2026-06-01 · aws-security
AWS says Network Firewall can now attach natively to Transit Gateway, removing the need for a separate inspection VPC in centralized designs. The company frames this as a way to simplify network security architecture while also improving cost allocation. For teams running distributed infrastructure, the change reduces the number of moving parts between workloads, inspection, and egress control.
AWS introduced native attachment between Network Firewall and Transit Gateway. Instead of building and managing a dedicated inspection VPC, customers can attach the firewall directly to Transit Gateway and let AWS handle the firewall endpoints. The post includes migration guidance for common centralized architectures and positions the feature as a cleaner replacement for the older inspection-VPC pattern.
Complex security routing tends to fail in messy, expensive ways: missed traffic paths, uneven inspection, and slower recovery after an incident. When teams have to reason through too many routing layers, response time drops and the window for exfiltration or ransomware spread widens. In that kind of failure, the cost is not just downtime. It is the downstream impact on backups, restore confidence, and the ability to prove what was or was not touched.
Cold storage gives you a last line of defense when network controls are bypassed or misconfigured. Offline or immutable copies can preserve critical data even if production VPCs, inspection layers, or admin access are compromised. Use security segmentation to limit blast radius, but keep a true offline recovery copy so you can rebuild from clean data instead of trusting the compromised environment.
Read Original Post →