# FAQ **Do I need a load balancer to route internet traffic through a firewall in a multi-AZ deployment?** AWS Network Firewall is transparent to incoming and outgoing traffic and doesn't require a load balancer for itself. A load balancer is only required for the application (as in a standard multi-AZ deployment). In this guide's perimeter zone architecture, Network Firewall is inserted through route tables and the corresponding network interfaces in the public subnet. **If the Application Load Balancer isn't in a public subnet (routed to an internet gateway), then is it an internal Application Load Balancer?** The Application Load Balancer isn’t an internal Application Load Balancer. The Application Load Balancer continues to the external, internet-facing subnet, even if the subnet isn't directly connected to the internet. The subnet is transparently available to the internet because the routing from the endpoint's subnet to the public subnet is based on the network interface of Network Firewall. **Does Network Firewall need its own security subnet?** Yes, Network Firewall needs its own security subnet. The security subnet (public) is required to ensure that the routing of the traffic from and to the Application Load Balancer can be controlled through the route tables. **Is the target architecture valid for both ingress and egress traffic firewalling?** Yes, the target architecture is valid for both ingress and egress traffic firewalling. If a connection is initiated from the application to outside the VPC, then you must add a NAT gateway to the endpoint's subnet. Also, you must forward the traffic from the application's subnet to the NAT gateway by using a route table (as illustrated by** Route table app** in the diagram from the [Perimeter zone architecture based on Network Firewall](architecture.md#perimeter-zone-applications-network-firewall) section of this guide.). Then, no further changes are required because all the outgoing traffic still goes through Network Firewall.