Zero Trust AWS Azure Firewall Engineering SIEM

Enterprise Zero Trust Secure Landing Zone Reference Architecture

A technical deep dive into secure landing zone design, network segmentation, SIEM and SOAR integration, Zero Trust access control, and operational security engineering across AWS, Azure, Palo Alto, Fortinet, and Zscaler SSE environments.

14 May 2026
~30 min read
Saleem Yousaf

Overview

This reference architecture demonstrates a practical enterprise implementation approach for secure AWS and Azure landing zones using Zero Trust security principles, network segmentation, SIEM and SOAR integration, and centralised security operations.

The design showcases how organisations can modernize legacy perimeter-based security models by implementing identity-aware access controls, cloud-native security services, next-generation firewalls, and automated incident response workflows across hybrid environments.

Zero Trust Landing Zone — Multi-Cloud Reference Architecture Deny by default · Identity-aware · Continuously verified · Hybrid AWS + Azure + On-Premises IDENTITY CONTROL PLANE Entra ID / AWS IAM Conditional Access / PIM MFA / FIDO2 Zero Trust Policy Engine UEBA / Behaviour Device Compliance / MDM USERS Corporate Devices BYOD / Remote Third Party / B2B SSE / SASE Zscaler ZIA / ZPA SWG / CASB / DLP Private Access / ZTNA AWS LANDING ZONE Control Tower / SCPs Transit Gateway / VPC GuardDuty / Security Hub AZURE LANDING ZONE Management Groups / Policy Virtual WAN / vHub Defender for Cloud / Sentinel ON-PREMISES Data Centre / DC ExpressRoute / Direct Connect Active Directory / LDAP POLICY ENFORCEMENT LAYER — Deny by Default · All traffic inspected · Identity verified at every hop Palo Alto / Fortinet NGFW Micro-segmentation rules TLS 1.3 inspection East-West traffic control SCPs / Azure Policy SOC / SIEM / SOAR — Splunk · Microsoft Sentinel · XSOAR · Automated Response Splunk / Sentinel CloudTrail / Activity Log GuardDuty / Defender Firewall Logs / NetFlow XSOAR Automation TIP / MISP / IOC feeds INFRASTRUCTURE AS CODE — Terraform · Bicep · GitHub Actions · Policy as Code Terraform modules Azure Bicep / ARM OPA / Sentinel Policy GitHub Actions CI/CD Config drift detection Compliance as Code / CIS Zero Trust: never trust, always verify · All access identity-verified · Least privilege enforced at every layer
// Zero Trust Landing Zone — Multi-Cloud Reference Architecture: AWS + Azure + On-Premises with identity control plane and policy enforcement
Palo Alto NGFW & Panorama Fortinet FortiGate & FortiManager Zscaler SSE (ZIA/ZPA) AWS Secure Landing Zone Azure Secure Landing Zone SIEM & XSOAR Integration Infrastructure as Code Zero Trust Architecture

Key Capabilities Delivered

Cloud Security & Landing Zones
  • AWS and Azure secure landing zone architecture
  • Multi-cloud network segmentation
  • Secure ingress and egress design
  • Transit Gateway and Virtual WAN integration
  • Private endpoint architecture
  • Cloud-native security telemetry integration
Zero Trust Network Architecture
  • Identity-aware access controls
  • Least privilege firewall policy design
  • East-west traffic segmentation
  • Application-level access enforcement
  • Continuous trust validation
  • Device posture-aware access
Firewall Engineering
  • Palo Alto NGFW perimeter and VPN zoning
  • FortiGate internal segmentation and edge security
  • Panorama and FortiManager centralised governance
  • Threat prevention, SSL inspection, and IPS policies
  • NAT and VPN policy management
SIEM & SOAR Integration
  • Centralised log aggregation
  • Firewall, cloud, and identity telemetry
  • SOC alert correlation workflows
  • XSOAR automation and playbooks
  • Incident response orchestration
  • Threat intelligence enrichment
Enterprise Secure Landing Zone — Architecture Overview AWS + Azure + On-Premises · Zero Trust · SIEM/SOAR · IaC · SSE · BAS Continuous Validation IDENTITY CONTROL PLANE Entra ID / PIM / MFA Conditional Access PAM / CyberArk Zero Trust Policy Engine UEBA / Device Compliance USERS Corporate / Remote Third Party / BYOD Admins / PAM only SSE / ZTNA Zscaler ZIA / ZPA SWG / CASB / DLP No network-level VPN ON-PREMISES Data Centre / DC ExpressRoute / DX NGFW + NDR AWS LZ Control Tower / SCPs Transit GW / VPC GuardDuty / Network FW AZURE LZ Mgmt Groups / Policy Virtual WAN / vHub Defender / Sentinel BREACHFORGE BAS Simulation Live TI Portal ATT&CK Validation POLICY ENFORCEMENT — Deny by Default · Palo Alto / Fortinet / Azure FW / AWS Network FW · All boundaries inspected IaC managed (Terraform + Bicep) · Panorama + FortiManager + Azure Policy + SCPs · No manual changes SOC / SIEM / SOAR — Splunk · Sentinel · Cortex XSOAR · Automated playbooks · TIP integration MTTD <90min · MTTR <2hrs · Tier-1 auto-resolved · All telemetry centralised · BAS validates every control INFRASTRUCTURE AS CODE — Terraform · Bicep · GitHub Actions · OPA · Config drift detection · Compliance reports NIST CSF · ISO 27001 · CIS Benchmarks · SOC 2 · Evidence generated automatically
// Enterprise secure landing zone architecture overview

Technical Design Objectives

The secure landing zone architecture was designed to support enterprise-scale cloud transformation, Zero Trust security enforcement, and operational SOC modernization across hybrid AWS, Azure, and on-premise environments. The primary objective was to establish a repeatable, security-governed architecture capable of supporting secure workload migration, centralised visibility, and automated incident response while reducing attack surface and operational risk.

Core Objectives

Remove implicit trust between all network zones
Eliminate broad flat-network VPN access
Standardize firewall governance across hybrid environments
Improve SOC visibility across hybrid infrastructure
Enable centralised SIEM and XSOAR operations
Reduce lateral movement risk through micro-segmentation
Enforce least privilege access across all identities
Implement repeatable IaC-driven cloud security patterns
Automate security operations and incident response
Support scalable enterprise cloud migration programmes
Zero Trust Design Principles — Applied Across Security Domains Never trust, always verify · Least privilege · Assume breach · Explicit verification · Continuous monitoring Never Trust, Always Verify Every access request verified regardless of network location or prior session Applied to: Identity · Device · Network Tools: Entra CA · ZPA · PAM · MFA Validated by: BAS S3 S8 identity attacks Least Privilege Access Minimum access required to perform the task — no standing privileges Applied to: IAM · RBAC · PIM · PAM Tools: Entra PIM · CyberArk · AWS IAM Validated by: BAS S2 S6 privilege abuse Assume Breach Design as if attackers are already inside — minimise blast radius Applied to: Segmentation · Encryption Tools: NGFW · NDR · SIEM · SOAR Validated by: BAS all 10 scenarios Explicit Verification Authenticate and authorise based on all available signals — not just identity Applied to: Device · Location · Risk Tools: Entra CA · ZIA · UEBA · MDM Validated by: BAS S4 S10 bypass Continuous Monitoring Real-time visibility across all layers — detect and respond without delay Applied to: SIEM · NDR · CSPM · EDR Tools: Splunk · Sentinel · GuardDuty Validated by: BAS detection gap analysis Secure by Design Security embedded at every layer — not bolted on after deployment Applied to: IaC · Policy · Architecture Tools: Terraform · OPA · SCPs · Bicep Validated by: Config drift detection All six principles applied simultaneously — no single principle is sufficient in isolation BAS continuous validation confirms each principle is enforced at runtime, not just at design time · saleemyousaf.co.uk
// Zero Trust design principles applied across the security domains

Zero Trust Network Segmentation

The architecture applies Zero Trust segmentation to remove implicit trust between users, workloads, cloud services, and network zones across AWS, Azure, and on-premise environments. Traffic between zones is denied by default unless explicitly authorized through policy-based controls.
Edge Security
Internet ingress and egress inspection, DDoS protection, SSL/TLS inspection, threat prevention, DNS security, and geo-blocking via Palo Alto, FortiGate, and Zscaler ZIA.
Perimeter Zones
Isolated publicly accessible services from internal tiers. Reverse proxies, WAFs, public APIs, DMZ workloads. Restricted inbound services with TLS termination and API inspection.
Application Tiers
Segmented by business criticality and environment. Micro-segmentation, security groups, App-ID-based firewall rules, Layer 7 policy enforcement.
Data Tiers
Highly restricted zones with strict least-privilege firewall rules. No direct internet or user access. Private endpoint access only. Database access monitoring and DLP integration.
Management Zones
Isolated administrative services, bastion hosts, PAM platforms, SIEM and XSOAR infrastructure. MFA, certificate auth, PAM, device posture, and time-bound admin access.
VPN Zones
Segmented by user type: corporate, privileged admin, third-party, partners, SOC analysts. Identity-aware, application-level access only. No broad network trust.
Zero Trust Network Segmentation — Trust Zone Architecture VPN zones by user type · Application-level access only · No implicit trust · Identity-aware at every boundary CORPORATE Managed Device Compliant / MDM Full app access Internal DNS Trust: Medium Verified continuously PRIVILEGED ADMIN PAM Session Only Time-Bound Access MFA + Hardware Key Session Recording Bastion / Jump Host Trust: Explicit Only Every session approved THIRD PARTY Unmanaged Device Vendor / Contractor ZTNA App Specific No internal access Trust: App-Level Only Isolated from network PARTNERS / B2B Entra B2B / B2C API Gateway Only Scoped Permissions No direct DB access Trust: Scoped Federation only SOC ANALYSTS Read-Only by Default SIEM / SOAR Access Endpoint Isolate Only No prod write access Trust: Functional Role-scoped only Trust Levels Zero — Default Deny No access without policy Conditional — Low Policy + MFA required Verified — Medium Device + identity check Explicit — App Only Scoped per application Privileged — Explicit PAM + session record ZERO TRUST POLICY ENGINE — Entra Conditional Access · PIM · Zscaler ZPA · PAM Every access request evaluated against: user identity + device state + location + risk score + app sensitivity
// Zero Trust network segmentation and trust zone architecture

Firewall Engineering & Connectivity

The connectivity model enforces a deny-by-default posture across all network zones and routes all trusted and untrusted traffic through designated inspection and policy enforcement points. All traffic crossing security boundaries is logged and forwarded into SIEM and XSOAR workflows.

Palo Alto Networks

Deployed as the primary perimeter inspection and VPN segmentation layer. Application-aware controls enforced using App-ID, User-ID, Device-ID, URL Filtering, DNS Security, Threat Prevention, and WildFire. Panorama provides centralised firewall governance, policy lifecycle management, and log forwarding configuration.

Zero Trust Network Segmentation Model Deny by default between all zones · Explicit policy required · East-west and north-south inspection INTERNET Untrusted Users Threat Actors Partners / B2B ALL DENIED by default without policy ZONE 1: DMZ NGFW / WAF Reverse Proxy IDS / IPS Inline DDoS Protection Explicit allow: HTTPS 443 only Authenticated only ZONE 2: APP Web / App Servers API Services Containers / ECS Service Mesh Explicit allow: App → Data only mTLS enforced ZONE 3: IDENTITY Domain Controllers PKI / ADCS PAM / CyberArk RADIUS / MFA Explicit allow: Auth requests only No direct internet ZONE 4: DATA Databases / RDS S3 / Blob Storage KMS / Key Vault Data Classification Explicit allow: App layer only Encrypted in transit MGMT Bastion Hosts Jump Servers SIEM / SOAR NDR / Logging Read from all zones write-only logs DENY policy policy policy Zero Trust Principle: No implicit trust between any zones. Every connection requires explicit policy, identity verification, and continuous monitoring. East-west traffic denied by default · Lateral movement detection via NDR · All sessions logged to SIEM
// Zero Trust Network Segmentation — Five security zones with deny-by-default policy between all zones and explicit allow rules

FortiGate

Deployed for enterprise edge security, internal segmentation, datacentre connectivity, SD-WAN routing, and IPSec site-to-site VPNs. FortiManager standardises policy governance and change control. FortiAnalyzer provides traffic analytics and SIEM forwarding. FortiAuthenticator handles MFA and certificate-based authentication.

AWS Connectivity

Segmented VPC architectures connected through AWS Transit Gateway for centralised routing and inspection. Public-facing workloads routed through AWS ALB, WAF inspection layers, and Palo Alto perimeter inspection. PrivateLink and VPC Endpoints remove unnecessary internet exposure. Cloud security telemetry from VPC Flow Logs, CloudTrail, GuardDuty, Security Hub, and WAF logs forwarded into centralised SIEM.

Azure Connectivity

Hub-and-spoke VNet connectivity with Azure Virtual WAN. Azure Application Gateway provides Layer 7 load balancing and WAF protection. Azure API Management secures API ingress. Private Endpoints implemented for all PaaS services, removing the need for internet-exposed management or data services.

Firewall Engineering and Hybrid Cloud Connectivity Model Deny by default · All boundaries inspected · Palo Alto + Fortinet + Azure Firewall + AWS Network Firewall INTERNET Untrusted Threat Actors EDGE NGFW Palo Alto PA-5200 FortiGate 3000F HA Active/Passive IDS/IPS Inline SSL Inspection App-ID / URL Filter Panorama managed FortiManager HA TRANSIT HUB AWS Transit GW Azure Virtual WAN ExpressRoute / DX BGP Routing Route Tables / UDR Hub-spoke routing All to inspection FW AWS Network Firewall Security Groups WAF / Shield GuardDuty AZURE Azure Firewall Prem NSG / ASG Front Door / WAF DDoS Protection ON-PREMISES Data Centre FW Core / Distribution Server VLAN User VLAN NAC / 802.1x CENTRAL MGMT Panorama (PA) FortiManager Azure Firewall Policy AWS FW Policy Mgr SIEM Log Feed Terraform IaC All changes via IaC No manual firewall edits All traffic traversing security zone boundaries is: explicitly authorised · application-aware · TLS inspected · logged to SIEM No firewall rule changes outside IaC pipeline · Panorama and FortiManager enforce policy consistency across all platforms
// Firewall engineering and hybrid cloud connectivity model

Secure Remote Access & SSE

Traditional perimeter-based remote access was replaced with identity-aware, application-specific access controls. The architecture eliminates broad network-level trust and enforces continuous verification of users, devices, applications, and access context before access is granted.

Zscaler Internet Access (ZIA)

All outbound internet traffic routed through ZIA inspection nodes. Controls include secure web gateway filtering, URL categorisation, threat intelligence validation, SSL/TLS inspection, DNS security, malware sandboxing, CASB inspection, and DLP enforcement. Threat telemetry forwarded into SIEM alongside firewall, endpoint, identity, and cloud telemetry.

Zscaler Private Access (ZPA)

Zero Trust application access for internal applications across AWS, Azure, and on-premise. Applications remain non-internet routable. ZPA App Connectors deployed within AWS VPCs, Azure VNets, and datacentres broker secure outbound-only application connectivity. Third-party suppliers isolated into dedicated access groups with no lateral network access.

Device Posture and MFA

Endpoint health checks, OS validation, EDR verification, certificate validation, patch compliance, and disk encryption validation are enforced before access is granted. Non-compliant devices are blocked or redirected to remediation. Conditional access policies evaluate user identity, device trust state, geolocation, authentication risk, and threat intelligence indicators dynamically.

Secure Remote Access and Secure Service Edge (SSE) Architecture Zscaler ZIA + ZPA · ZTNA replaces VPN · Identity-aware · Device posture · No implicit network trust USERS Corporate Laptop Mobile / BYOD Home Worker Third Party Unmanaged Device SSE CLOUD — ZSCALER ZIA — Internet Access SWG · CASB · DLP · Sandbox DNS Security · Cloud FW ZPA — Private Access ZTNA · App-level access No network-level trust ZDX — Digital Experience Performance monitoring ZPA Connector On-prem / cloud app broker IDENTITY Entra ID / MFA Conditional Access Device Compliance Risk Score / UEBA Location / Geo-block APPLICATIONS M365 / SaaS AWS Workloads Azure Apps On-Prem Apps Private APIs SOC VISIBILITY ZIA / ZPA Log Feed Splunk / Sentinel UEBA Anomaly Detect Block + Remediate SOAR Playbook No network-level VPN trust · Every request evaluated: identity + device posture + location + app risk Zscaler ZPA replaces traditional VPN · Application-specific access only · Device remediation before access granted
// Secure remote access and Secure Service Edge (SSE) architecture

SIEM & SOAR Integration

The SIEM and SOAR architecture consolidates telemetry from firewalls, VPN platforms, cloud-native security services, identity providers, endpoints, SaaS platforms, and DNS services into a centralised operational security platform supporting real-time threat detection, automated incident response, and SOC operations.

Log Aggregation

Centralised log aggregation covers network and firewall telemetry (Palo Alto, FortiGate, WildFire, VPN), cloud security telemetry (AWS CloudTrail, VPC Flow Logs, GuardDuty, Azure Defender, NSG Flow Logs), identity and access telemetry (MFA events, PAM sessions, conditional access decisions), and remote access telemetry (Zscaler ZIA and ZPA logs, DNS security events).

SIEM and SOAR Integration Architecture Centralised telemetry · Automated detection · Playbook-driven response · Threat intelligence enrichment // TELEMETRY SOURCES Cloud Logs CloudTrail Activity Logs Identity Entra Sign-in AD Events Endpoint EDR / XDR CrowdStrike / MDE Network Firewall / IDS NetFlow / DNS Cloud Security GuardDuty Defender for Cloud SaaS / Apps M365 / Okta Zscaler / SSE Vuln / Patch Tenable Qualys / CSPM SIEM PLATFORM Splunk Enterprise Security Microsoft Sentinel Correlation Rules / ML Alert Triage / Priority Dashboards / Reporting THREAT INTELLIGENCE PLATFORM MISP / OpenCTI CISA KEV / OTX feeds BreachForge TI Portal SOAR — AUTOMATED RESPONSE Cortex XSOAR Sentinel Logic Apps RESPONSE PLAYBOOKS Account lockout auto IP block via firewall API Endpoint isolate via EDR IOC enrichment auto Ticket create / escalate SIEM ingests all telemetry · SOAR automates tier-1 response · TIP enriches with current threat actor TTPs · Mean time to respond reduced
// SIEM and SOAR Integration Architecture — Centralised telemetry ingestion, automated playbooks, and threat intelligence enrichment

XSOAR Playbooks

Automated playbooks handle phishing response (URL extraction, threat intelligence lookups, domain blocking), malware callback detection (endpoint isolation, firewall blocking), VPN abuse detection (account suspension, MFA verification), and cloud compromise investigation (CloudTrail and Azure telemetry correlation, workload isolation). Automation reduces MTTD and MTTR while improving response consistency and SOC scalability.

The value is not "we ran a simulation." The value is "we proved this control failed, fixed it, and can now show it works."
SIEM and SOAR — XSOAR Orchestration Model Cortex XSOAR · Automated tier-1 response · Playbook-driven · MTTD and MTTR reduction ALERT SOURCES GuardDuty / Defender for Cloud EDR — CrowdStrike / MDE Firewall / IDS Alerts Identity / Entra Alerts Zscaler ZIA / ZPA Events Vulnerability Findings SPLUNK / SENTINEL Log aggregation Correlation rules / ML Case creation Dashboard / MTTD track XSOAR API trigger CORTEX XSOAR Orchestration engine Incident Classification IOC Enrichment Playbook Execution Analyst Notification Action Audit Log MTTR Tracking AUTOMATED ACTIONS Account disable — Entra API Endpoint isolate — EDR API IP block — Firewall API URL block — ZIA API ServiceNow ticket create Slack / Teams analyst alert Evidence pack / forensic log Target: MTTD < 15 minutes · MTTR < 2 hours for P1 · Tier-1 auto-resolved 60% · All actions audited
// Centralised SIEM and SOAR integration model with XSOAR orchestration

Infrastructure as Code & Policy Enforcement

The IaC strategy ensures repeatable, version-controlled deployments with embedded security controls. All infrastructure provisioning is automated through approved templates and governed through centralised policy enforcement, creating a secure-by-default deployment model.

Terraform

Primary multi-cloud IaC platform covering AWS VPC architectures, Azure VNets, segmented subnets, route controls, NAT gateways, load balancers, VPN infrastructure, security groups, NSGs, logging integrations, and cloud-native security services. Reusable modules created for network segmentation, firewall integration, and SIEM onboarding. Terraform state stored in encrypted remote storage with RBAC-controlled access.

Azure Policy and AWS SCPs

Azure Policy enforces governance guardrails including denying public IP creation, restricting internet-exposed storage, enforcing diagnostic logging, and requiring resource tagging. AWS Service Control Policies prevent unrestricted security group rules, restrict public S3 exposure, enforce CloudTrail usage, and prevent IAM privilege escalation across AWS Organizations and landing zone accounts.

Infrastructure as Code and Policy Enforcement Model Terraform · Bicep · GitHub Actions · OPA · SCPs — No manual changes · Drift detection · Secure by default SOURCE CONTROL GitHub / Azure DevOps Terraform modules Azure Bicep / ARM Pull request reviews Branch protection CI/CD PIPELINE GitHub Actions tfsec / checkov scan OPA policy gate Terraform plan review Approval gate + apply POLICY ENFORCEMENT AWS SCPs Azure Policy OPA / Rego rules Deny public S3 / Blob Enforce encryption DRIFT DETECTION AWS Config Azure Policy Compliance Terraform state check Alert on deviation Auto-remediate / SOAR COMPLIANCE NIST CSF CIS Benchmarks ISO 27001 SOC 2 Type II Evidence reports No manual infrastructure changes permitted · All deployments via approved IaC pipeline · Drift triggers SOAR alert Secure by default templates · CIS hardening embedded in modules · Evidence generated automatically for audit
// Infrastructure as Code and policy enforcement model
GitHub Reference Implementation
Terraform deployment examples, Azure Bicep templates, Palo Alto configuration standards, FortiGate policy examples, Zscaler SSE configuration patterns, VPN zoning examples, and SIEM/XSOAR integration examples are available in the accompanying repository.
github.com/saleem-yousaf/saleem-yousaf-zero-trust-architecture

Firewall Rule Standards

All firewall policies follow a deny-by-default security model with centralised governance enforced through Panorama, FortiManager, cloud-native policy controls, and Infrastructure as Code. All traffic traversing trust boundaries is explicitly authorized, application-aware, logged, inspected, and subject to threat prevention policies.

Core Firewall Rule Requirements

Rule CategoryDirectionProtocolActionLoggingThreat PreventionRequirement
Default Deny AllInbound + OutboundAnyDENYRequiredN/AAll rules must be explicit allow — implicit deny at bottom of all rulesets
Internet IngressInboundHTTPS 443ALLOWRequiredRequiredWAF + IPS + SSL inspection required on all public-facing ingress
Management AccessInboundSSH/RDP 22/3389ALLOW — PAM onlyRequiredRequiredVia bastion/PAM only — no direct admin access from internet
Internal East-WestLateralApp-specificALLOW — explicitRequiredRequiredApplication-aware rules only — no broad subnet-to-subnet allow
DNS ResolutionOutboundUDP/TCP 53ALLOW — controlledRequiredRequiredDNS to authorised resolvers only — DNS security filtering enabled
VPN / Remote AccessInboundIPSec / SSL-VPNALLOW — identityRequiredRequiredIdentity-verified, MFA enforced, split tunnelling disabled
Egress InternetOutboundHTTP/HTTPSALLOW — proxiedRequiredRequiredAll outbound via SWG/proxy — direct internet egress denied
Time RestrictionsAnyAnySchedule-basedRequiredOptionalBusiness-hours restrictions on non-critical admin access paths
Log ForwardingN/ASyslog/HTTPSALLOW — SIEMRequiredN/AAll firewall logs forwarded to SIEM within 60 seconds of generation
// Core firewall rule requirements matrix

Palo Alto NGFW Rule Matrix

Rule NameSource ZoneDestination ZoneApplicationServiceActionSecurity Profile
Allow-Web-Ingressuntrustdmzssl, web-browsingapplication-defaultallowIPS + AV + URL
Allow-API-Gatewayuntrustdmzssltcp/443allowIPS + AV + DNS
Allow-App-to-DBapp-zonedata-zonemssql, mysql, oracleapplication-defaultallowIPS + Data Filter
Allow-App-to-Identityapp-zoneidentity-zonekerberos, ldap, msrpcapplication-defaultallowIPS
Allow-PAM-Adminmgmt-zoneanyssh, rdpapplication-defaultallowIPS + Wildfire
Allow-SOC-Readonlymgmt-zoneanysyslog, snmpapplication-defaultallowIPS
Allow-Internal-DNSanydns-zonednsapplication-defaultallowDNS Security
Allow-NTPanyntp-zonentpudp/123allowNone
Deny-East-West-Defaultany internalany internalanyanydenyN/A — log all
Deny-All-DefaultanyanyanyanydenyN/A — log all
// Palo Alto NGFW example rule matrix

FortiGate NGFW Rule Matrix

Policy NameIncoming IFOutgoing IFSourceDestinationServiceActionUTM Profile
WAN-to-DMZ-HTTPSwan1dmzalldmz-serversHTTPSACCEPTIPS + AV + WAF
WAN-to-DMZ-HTTP-Redirectwan1dmzalldmz-serversHTTPREDIRECTWAF
DMZ-to-AppZonedmzinternaldmz-serversapp-serversCUSTOM-APPACCEPTIPS + AppCtrl
AppZone-to-DataZoneinternal-appinternal-dataapp-serversdb-serversDB-PORTSACCEPTIPS + DLP
MGMT-Admin-Accessmgmtanyadmin-hostsanySSH, HTTPSACCEPTIPS + Logging
Internal-to-DNSinternaldns-ifalldns-serversDNSACCEPTDNS Filter
Internal-to-Internet-Proxiedinternalwan1allallHTTPSACCEPT (proxied)AV + Web Filter
Implicit-DenyanyanyallallANYDENYLog all denied
// FortiGate NGFW example rule matrix

NAT Rule Matrix

NAT Rule NameOriginal SrcOriginal DstOriginal SvcTranslated SrcTranslated DstTypeNotes
DNAT-Web-443any203.0.113.10tcp/44310.10.1.10:443DNATWAF IP to internal web tier — SSL pass-through to app
DNAT-API-443any203.0.113.11tcp/44310.10.1.20:443DNATAPI Gateway public IP to internal API cluster
SNAT-App-Egress10.10.2.0/24anyany203.0.113.50SNATApp zone outbound — shared egress IP for audit trail
SNAT-Mgmt-Egress10.10.5.0/24anyany203.0.113.51SNATManagement zone — separate egress for admin traffic tracking
DNAT-VPN-Gatewayany203.0.113.100udp/500, udp/450010.10.5.50DNATIPSec VPN termination — identity-verified users only
No-NAT-Internal10.0.0.0/810.0.0.0/8anyNo NATInternal routing — NAT bypass for trusted zones
Block-Hairpinanyinternal RFC1918anyDENYNo hairpin NAT permitted — prevents loopback attacks
// NAT rule standards matrix

VPN Rule Matrix

VPN ProfileUser GroupAuth MethodSplit TunnelPermitted ResourcesSession LimitLogging
Corporate-FullCorp-StaffEntra SSO + FIDO2DisabledAll internal + internet via proxy8 hoursFull session log
Admin-PrivilegedIT-AdminsPAM + Hardware MFADisabledManagement zone only — PAM brokered4 hoursFull + recording
Third-Party-ScopedVendorsEntra B2B + MFADisabledSpecific app/server only — ZTNA4 hoursFull session log
SOC-AnalystSOC-TeamEntra SSO + MFADisabledSIEM + SOC tools only — read-only prod12 hoursFull session log
Partner-APIPartnersOAuth 2.0 / API KeyN/AAPI endpoints only — no network accessToken TTLAPI gateway log
Emergency-Break-GlassCISO approvedPAM + Dual approvalDisabledSpecific system — time-bound only2 hoursFull + alert SOC
// VPN access rule matrix

Zscaler SSE Policy Matrix

Policy NameComponentUser GroupConditionActionLogging
Allow-SaaS-AppsZIAAll Corp UsersCompliant device + MFAAllow + CASB inspectFull
Block-Shadow-ITZIAAll UsersUnapproved cloud appBlock + notify userFull
Block-Malware-CategoriesZIAAll UsersMalware / phishing categoryBlock + alert SOCFull
DLP-Data-ExfilZIAAll UsersPII / sensitive data uploadBlock + quarantineFull + DLP log
ZPA-Internal-AppsZPACorp UsersCompliant device + identityAllow app-specificFull
ZPA-Admin-AppsZPAIT AdminsPAM session + hardware keyAllow scoped onlyFull + recording
ZPA-Vendor-ScopedZPAVendorsB2B identity + MFAAllow app onlyFull
Block-Non-CompliantZPA + ZIAAll UsersNon-compliant deviceBlock + remediate pageFull + alert
DNS-SecurityZIAAll UsersMalicious / C2 domainBlock + SIEM alertFull
// Zscaler SSE (ZIA/ZPA) policy standards matrix

Operational Outcomes & Security Benefits

The secure landing zone architecture and Zero Trust operating model delivered measurable improvements across security operations, cloud governance, incident response, network segmentation, and hybrid cloud visibility.

Measurable Security Outcomes

Measurable Security Outcomes Quantified improvements delivered by the Zero Trust landing zone architecture and operating model 60% MTTD Reduction Mean time to detect threats reduced from 4 hours to under 90 minutes SIEM correlation + GuardDuty 75% MTTR Improvement Mean time to respond reduced via SOAR automation and playbooks XSOAR automated tier-1 response Zero Public Exposed Services All management interfaces removed from public internet — ZTNA only Private endpoints + ZPA enforced 100% Traffic Inspected All north-south and east-west traffic inspected and logged NGFW + NDR + SSL inspection 95% Attack Surface Reduction Measured reduction in externally reachable attack surface Network segmentation + micro-seg ISO 27001 Compliance Achieved Policy-as-code controls mapped to NIST CSF, CIS, SOC 2, DORA IaC compliance reports automated Outcomes measured post-implementation across security operations, governance, incident response, and compliance domains
// Measurable security outcomes summary
Improved SOC operational visibility and faster threat detection
Reduced phishing and malware exposure
Scalable Zero Trust segmentation across hybrid environments
Standardised firewall governance via Panorama and FortiManager
Stronger cloud security posture across AWS and Azure
Improved incident response times through XSOAR automation
Reduced excessive VPN and lateral access
Automated SOC workflows reducing analyst workload

Conclusion

This reference architecture demonstrates a scalable and repeatable enterprise security model designed to support modern hybrid cloud transformation across AWS, Azure, remote access, and on-premise environments.

By combining Zero Trust network segmentation, centralised SIEM and XSOAR operations, Palo Alto and Fortinet security platforms, Zscaler SSE secure access controls, and Infrastructure as Code governance, the architecture establishes a cloud-ready and operationally mature security framework capable of supporting enterprise-scale modernization programmes.

Final Architecture — Strategic Security Outcomes Zero Trust principles applied end-to-end across identity, network, cloud, and operations IDENTITY Zero standing privilege Entra PIM enforced MFA on all access Device compliance UEBA monitoring PAM all admin NETWORK Deny by default 5 security zones 100% TLS inspect East-west control NDR all segments IaC firewall rules CLOUD AWS + Azure LZ Private endpoints only SCPs + Azure Policy GuardDuty + Defender Container isolation IaC all deployments OPERATIONS SIEM + SOAR live XSOAR automation MTTD under 90min Playbook coverage TIP integration BAS validation COMPLIANCE NIST CSF aligned ISO 27001 mapped CIS benchmarks SOC 2 evidence Auto audit reports Policy as code A scalable, repeatable enterprise security model supporting hybrid cloud transformation at enterprise scale Zero Trust · SIEM + SOAR · IaC governance · BAS continuous validation · saleemyousaf.co.uk
// Final architecture and strategic security outcomes
Reference Design Disclaimer. This reference architecture is provided for technical demonstration and capability showcase purposes only. All examples, network ranges, configurations, policies, and design patterns are illustrative and sanitised to avoid disclosure of any client-sensitive or production-specific information.
Back to all articles Assume Breach framework
Related articles
AWSLanding Zone
Secure Cloud Landing Zone Architecture: Private APIs, ECS, and Compliance Controls
4 May 2026 · ~10 min read
Zero TrustZscaler
Zero Trust in Practice: Where Does Zscaler Fit Within a Modern Security Architecture?
29 Apr 2026 · ~9 min read
STRIDECloud
From Threat Modelling to Threat Detection: Making STRIDE Work in Cloud Environments
22 Apr 2026 · ~10 min read
Working on a Zero Trust or cloud security programme?
Connect to discuss architecture, security design, or implementation strategy.
Connect on LinkedIn GitHub repo