The Secure Access Concentrator can be deployed in Azure and AWS if your FSCs are geographically dispersed and/or your backend systems hosted in Azure and/or AWS. The FSAC connects your Secure Connectors with your cloud resources and allows you to monitor the traffic between the FSC and the private subnets. If VPN connectivity is required, the FSAC is used in combination with an F-Series Firewall. You have two options for setting up the Secure Access Concentrator. The deployment steps are the same as the steps required for an on-premises FSAC.
FSAC and F-Series Firewall in the Public Cloud, Control Center located on-premises
In this scenario, the FSCs connect to the public IP address of the FSAC. In Azure, traffic to the backend subnets is routed over the F-Series Firewalls; in AWS, the FSAC connects directly to the backend subnets. The F-Series Firewall handles the VPN tunnels to the on-premises networks. Configuration data from the FSAC to the Control Center is sent through this site-to-site tunnel.
FSAC, F-Series Firewall, and Control Center in Azure and AWS
The client connects to the public IP address of the FSAC. Traffic to the backend is routed either through the optional F-Series Firewalls, or directly to the backend subnets. The FSC can connect directly to the Control Center, which is located in another subnet. In Azure, the FSAC can also secure the traffic between the different backend subnets. An F-Series Firewall is required for site-to-site VPN connections to your on-premises networks.