In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: 10.0.0.0/24 and 10.0.1.0/24. The VM-Series firewall will be launched in the 10.0.0.0/24 subnet to which the Internet gateway is attached. The 10.0.1.0/24 subnet is a private subnet that will host the EC2 instances that need to be secured by the VM-Series firewall; any server on this private subnet uses NAT for a routable IP address (which is an Elastic IP address) to access the Internet. Use the Planning Worksheet for the VM-Series in the AWS VPC to plan the design within your VPC; recording the subnet ranges, network interfaces and the associated IP addresses for the EC2 instances, and security groups, will make the setup process easier and more efficient.
The following image depicts the logical flow of traffic to/from the web server to the Internet. Traffic to/from the web server is sent to the data interface of the VM-Series firewall that is attached to the private subnet. The firewall applies policy and processes incoming/outgoing traffic from/to the Internet Gateway of the VPC. The image also shows the security groups to which the data interfaces are attached.