What is a multinational / intercontinental network firewall architecture, and why have multiple Internet exits?
A global company has firewall-protected Internet exits in each region (USA, Europe, Asia), with the internal network spanning the globe via private WAN links. Each regional exit handles local Internet traffic — for performance, compliance, and resilience.
The architecture:
[Internet]
↑
[FW Europa]
│
┌────────┼────────┐
[Internet] [Intranet] [Internet]
↑ │ ↑
[FW USA] │ [FW Asia]
Why decentralized internet exits:
| Reason | Detail |
|---|---|
| Performance | A user in Asia accessing a US-hosted site shouldn't traverse Europe |
| Latency | Local exit = direct path to local CDN/SaaS = lower RTT |
| Compliance | Some countries require traffic to stay within national borders (China, Russia) |
| Resilience | If the European exit fails, users in Asia still have Internet via Asian exit |
| Bandwidth cost | Backhauling all traffic to one exit is expensive |
The Intranet challenge:
The Intranet itself is a private global network — typically MPLS, SD-WAN, or VPN-over-Internet. Devices in USA and Asia can address each other directly. The firewalls don't sit on internal traffic; they sit on each exit to the Internet.
The compliance dimension:
Modern data sovereignty laws complicate this:
| Law | Implication |
|---|---|
| GDPR (EU) | EU personal data shouldn't leave EU without proper safeguards |
| DSG (Switzerland) | Similar to GDPR |
| PIPL (China) | Chinese data must stay in China |
| CLOUD Act (US) | US-companies' data is reachable by US gov regardless of location |
This means a global FW design often must keep certain data in certain regions — not just for performance.
SASE — the modern evolution:
SASE (Secure Access Service Edge) replaces the classic regional-FW design with cloud-delivered firewall services. Every user — wherever they are — connects to the nearest "PoP" (point of presence) which provides FW + proxy + DNS + DLP + ZTNA services. Products: Zscaler, Cato Networks, Palo Alto Prisma Access.
Tip: When designing global FW architecture, the question isn't just "where to put firewalls" but "how to enforce policy consistently across regions." Centralized management (single policy DB, distributed enforcement) is the killer feature in modern global FW products.
Go deeper:
Secure access service edge (Wikipedia) — the cloud-delivered SASE evolution the card names as the modern replacement.