Firewall Sandwich Topology


Avi Vantage, as an application load balancer provides several benefits to an application. To extend the benefits to a network firewall, the firewalls are sandwiched between the load balancers (Avi SEs).
Starting with Avi Vantage release 20.1.1, this solution can be deployed using Avi Load Balancers in many variants. This is possible using the Wildcard VIP functionality and Routing Auto Gateway.


A common firewall sandwich topology is as shown below:

FW Sandwich

From the image,

  • The Avi SE 1 is acting as a Load Balancer deployed with Wildcard VIP and Avi SE 2 is acting as a router configured with routing auto gateway enabled. Also, Avi SE 1 and Avi SE 2 are the Active SE of different SE Groups deployed in legacy HA mode.
  • The Avi SE1 is deployed with the wildcard VIP and the traffic gets load balanced to the firewalls. As firewalls expect the client traffic unchanged for validation, the application profile of the wildcard virtual service has to be configured with preserve_client_ip, preserve_client_port, preserve_destination_ip_port.

Click here to refer to the Wildcard VIP and Routing Auto Gateway Functionality articles for more information.

Basic Traffic Flow via Firewall Sandwich

The basic traffic flow from the internet world (www) to the internal server of corporate network is explained below.

FW Sandwich

The traffic flow via the firewall sandwich topology deployed is as explained below:

  • The Avi SE 1 is introduced ahead of the firewalls. This load balances the traffic across the firewalls. The orange flow in the image above indicates the Load balancing of the client traffic to firewall.

  • The traffic that gets through the firewall policies, is now propagated to Avi SE 2.

  • From Avi SE 2, As we enabled the routing with auto gateway functionality, the traffic is routed to the internal network remembering the Firewall1. The purple flow indicates the routing traffic.

  • The traffic from the internal network passes through Avi SE 2, which acts as a router. Avi SE 2 has the auto gateway functionality that ensures the traffic is redirected to the firewall it was propagated from.

  • The firewall redirects the same traffic to Avi SE 1.

  • From Avi SE 1, the traffic goes outbound via the corporate network.

The firewall sandwich topology improves the:

  • Availability of the firewalls

  • Scalability of the firewall traffic

  • Manageability in case of failover or maintenance

Use Cases

Many combinations of the firewall sandwich model can be derived from the configuration of Wildcard VIP and Routing Auto gateway. These are some use cases of the firewall sandwich topology that could be deployed using wildcard VIP and auto gateway functionality:

Deployment Scenario 1

The client can configure the wildcard VIP on Avi SE 1 to load balance only 40 percent of the traffic to the FW. 60 percent of the remaining traffic is directly routed to the Avi SE-2, where with the auto gateway functionality, routes the traffic to the Avi SE 1, which then reaches the client.

Note: The Avi SE-1 and Avi SE-2 are active SEs of different SE groups deployed in legacy HA mode.

FW Sandwich

In this use case, a sample of the traffic is inspected by the firewall and the remaining is considered as the trusted traffic and is directly routed to the internal network.

Deployment Scenario 2

The Avi SE-1 is deployed as the wildcard virtual service load balancer and Avi SE-2 is the application load balancer.

FW Sandwich

  • The Avi SE-1 acts as the network load balancer with wildcard VIP installed. The Avi SE-1 selects one FW and forwards the traffic to the FW, and from there, the traffic is sent to the Avi SE-2, which is the application load balancer.

  • The application virtual service picks the traffic and load balances it into the internal network.

  • When the SE receives the response from the application server, it propagates the traffic to the same FW that it came from.

  • The traffic then reaches the Avi-SE 1 and further reaches the client.

  • 60 percent of the traffic moves from Avi-SE 1 to the Avi-SE 2 directly. It gets load balanced here and is redirected to Avi-SE 1. It then gets propagated to the client.

Open Firewall Sandwich Topology

This topology is also called Firewall on a Stick. In this topology, a single Avi SE-1 is hosting a wildcard VIP and also acting as a router. Here, the Avi SE has a three-arm set up:

  • One arm is connected to the internet (interface 1)
  • One arm is connected to FW 1, FW 2, and FW 3 (interface 2)
  • One arm is connected to the internal network (interface 3)

FW Sandwich

  • Traffic from the North reaches interface 1 of the Avi SE. It matches the wildcard virtual service and selects one of the FWs. Avi SE acts as a default gateway for the FW. The same traffic is forwarded to the Avi SE from the FW. The wildcard VIP is placed only on interface 1. So, the traffic is forwarded as the routing flow to the internal network.

  • When the traffic returns, the flow entries match and the traffic is returned to the same FW from which it was propagated. From FW 1, the traffic flows to the client, based on the reverse flow entry that is installed as a part of the wildcard VIP.

  • The wildcard VIP could have different services as a *, 80 and *, 8080. In case of a traffic matches with *, 8080, the traffic is transparently forwarded to the internal network and the return traffic is directly routed to the client.

  • A portion of the traffic gets matched with the wildcard VIP and gets load balanced to the internal network. The traffic that does not match the wildcard VIP is part of the routing flow.

Firewall (FW) Sandwich Topology in Detail

In this topology, the Avi SE 1 of Tier 1 SE group has the wildcard VIP configured.Avi SE 2 of Tier 2 SE group is deployed as the L3 router with auto gateway functionality. The wildcard VIP and the auto gateway functionality are configured as shown below:

FW Sandwich

In VS-1 / is configured as the wildcard VIP and FW 1, FW 2, and FW 3 are configured as pool members. This is the network configuration in every element of this sandwich topology.

Traffic flow from the Internet to the Internal Servers in the Firewall Sandwich

The client initiates the traffic to the server from The traffic traverses from North to South and is detailed below with the sample flow entries as shown in the image:

FW Sandwich

Step 1: The traffic reaches Avi SE 1 and matches the static route. As it is the internal network, the next hop is which is the floating interface IP of Avi SE 1.

Step 2: The traffic in Avi SE 1 matches with VS-1 (/). The flow matches the wildcard VS-1 and it selects FW-1 and transparently forwards the traffic to FW 1 without SNAT or DNAT.

Step 3: FW 1 delivers this packet to Avi SE 2 based on the routes configured in the FW layer.

Step 4: The Avi SE 2 is deployed as an L3 router with auto gateway functionality. The traffic matches the routing service with enable_auto_gateway functionality. It installs the flow entries in Avi SE.

The FW 1 MAC gets cached in the backend flow entry. This will be used in the return path. The traffic in the return direction has to go through the same FW from where it came from.

Return Traffic flow from the Internal Servers to the Internet in the Firewall Sandwich

The traffic flow from server to client is as shown below:

FW Sandwich

Step 5:The traffic reaches Avi SE 2 as it is configured as the default gateway.

Step 6: Avi SE 2 is the default gateway. When the traffic reaches Avi SE 2, it matches the reverse-flow entry and then forwards that traffic to FW 1 based on the cached auto gateway Mac.

Step 7:FW 1 will return the traffic to Avi SE 1.

Step 8:The reverse-flow entry of the wildcard is matched and matches the reverse flow entry of wildcard VS in the load balancing flow and traffic returns to the client.

Suggested Reading

Date Change Summary
July 30, 2020 Published the Feature KB for Firewall Sandwich Topology (Version 20.1.1)