Professional Documents
Culture Documents
2. Intra-VPC inspection with AWS Network Firewall and VPC routing enhacement
Inspection Deployment Models 3. East-West centralized inspection with AWS Network Firewall and AWS Transit Gateway
with AWS Network Firewall 4. North-South centralized inspection with AWS Network Firewall and AWS Transit Gateway
5. Combined inspection with AWS Network Firewall and AWS Transit Gateway
NEW 6. Multi-Region centralized inspection with AWS Network Firewall and AWS Transit Gateway
EC2 instance
For more information about deployment
models with AWS Network Firewall and AWS
Reviewed for technical accuracy March 16,
3rd,2022
2022
AWS Reference Architecture Transit Gateway, refer to: Deployment Models
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
for AWS Network Firewall.
Traffic from the instance in Spoke VPC A
1
North-South Inspection with AWS Network Firewall
destined to the internet is routed to the Transit
Gateway. The Transit Gateway route table
associated with the attachment sends all the
Use AWS Transit Gateway to centralize the traffic inspection from/to the Internet, or from/to on-prem facilities connected traffic (0.0.0.0/0) to the Inspection VPC.
via AWS Direct Connect or AWS Site-to-Site VPN. The Inspection VPC TGW subnet route table
2 sends all the traffic to the firewall endpoint.
The allowed traffic is forwarded back to the
Spoke VPC A route table
Transit Gateway.
Destination Target AWS Transit Gateway Inspection VPC (100.64.0.0/26)
The Transit Gateway route table associated
Spoke VPC A (10.1.0.0/16)10.1.0.0/16 local
Pre-inspection route table
2
Availability Zone A
3 with the Inspection VPC attachment has all the
TGW route table routes within the network.
0.0.0.0/0 tgw-id TGW subnet
Availability Zone A CIDR Attachment
100.64.0.0/28 Destination Target In this particular use case, as the traffic needs
0.0.0.0/0 Inspection VPC
Workload subnet TGW subnet 1
3 100.64.0.0/16 local 4 to be routed to the internet, the Transit
10.1.1.0/24 10.1.0.0/24 Gateway will forward the traffic to the Central
Post-inspection route table C 0.0.0.0/0 vpce-az-a-id
TGW D Egress VPC.
E association CIDR Attachment TGW ENI The TGW subnet route table of the Central
TGW Inspection route table
EC2 instance -
TGW ENI
10.1.0.0/16 Spoke VPC A association Firewall subnet
5 Egress VPC sends the traffic to the NAT
10.1.1.5 Destination Target
10.2.0.0/16 Region B Peering 100.64.0.16/28 gateway, so the private IP of the client can be
100.64.0.0/16 local translated to the private IP of the NAT gateway,
10.11.0.0/16 Central Ingress VPC and in turn, translated to the public IP by the
Spoke VPC (10.2.0.0/16) 0.0.0.0/0 tgw-id
192.168.0.0/16 Direct Connect internet gateway.
Gateway / VPN
Workload subnet TGW Firewall endpoint
10.2.1.0/24 association 0.0.0.0/0 Central Egress VPC Traffic coming from the internet reaches the
4
TGW route table A Central Ingress VPC. In this example, an
AWS Transit Gateway Application Load Balancer sends the request to
TGW Destination Target
AWS Region B association
Central Egress VPC (10.10.0.0/16) the target group of configured IP addresses
B
EC2 instance 10.10.0.0/16 local through the Transit Gateway.
Central Ingress VPC (10.11.0.0/16) Availability Zone A
TGW 10.0.0.0/8 tgw-id The traffic is forwarded to the Inspection VPC
Direct association TGW subnet Public subnet
TGW subnet - 10.10.0.0/28
B in accordance to the Pre-inspection route
Connect 10.11.0.0/28 10.11.1.0/24 0.0.0.0/0 nat-id
table in Transit Gateway.
gateway
TGW Transit As with the egress traffic, the Inspection VPC
Internet gateway
association
Target Group Type: IP
Gateway ENI C TGW subnet route table sends all the traffic to
TGW ENI Target: 10.1.0.5 ALB the firewall endpoint. Allowed traffic is
Public subnet – 10.10.1.0/24 Public route table
AWS Direct Connect AWS Site-to-Site VPN TGW route table Public route table D forwarded back to the Transit Gateway and
Destination Target subsequently to the destination VPC (Spoke
5 VPC A).
Destination Target Destination Target
A 10.10.0.0/16 local
10.11.0.0/16 local 10.11.0.0/16 local NAT gateway The Spoke VPC A route table sends the traffic
10.0.0.0/8 tgw-id E to the desired instance - 10.1.1.5.
On-premises – 192.168.0.0/16 10.0.0.0/8 tgw-id 10.0.0.0/8 tgw-id
0.0.0.0/0 Igw-id
0.0.0.0/0 Igw-id
Reviewed for technical accuracy March 16,
3rd,2022
2022 * It is recommended to use Transit Gateway appliance
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture mode in the Inspection VPC Transit Gateway
attachment to maintain flow symmetry.
Traffic from an instance in Spoke VPC A
1
Combined Inspection with AWS Network Firewall
destined to another instance in Spoke VPC B
(East/West traffic) is routed to the Transit
Gateway.
Use AWS Transit Gateway to centralize the East/West inspection between VPCs, while you have a NAT gateway in the The Transit Gateway route table associated
Inspection VPC for centralized egress and the North/South inspection. 2 with the attachment sends all the traffic
(0.0.0.0/0) to the Inspection VPC.