1.

Single VPC inspection with AWS Network Firewall (Distributed Inspection)

2. Intra-VPC inspection with AWS Network Firewall and VPC routing enhacement

Inspection Deployment Models 3. East-West centralized inspection with AWS Network Firewall and AWS Transit Gateway

with AWS Network Firewall 4. North-South centralized inspection with AWS Network Firewall and AWS Transit Gateway

5. Combined inspection with AWS Network Firewall and AWS Transit Gateway

NEW 6. Multi-Region centralized inspection with AWS Network Firewall and AWS Transit Gateway

Reviewed for technical accuracy March 3rd,

16, 2022
2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
 Traffic initiated from a client on the internet and

Traffic Inspection with AWS Network Firewall

1 destined to the public IP of the Application Load
Balancer arrives at the internet gateway.

Inspect inbound and outbound traffic using AWS Network Firewall. 2

In accordance with the internet gateway ingress
table, traffic is sent to the firewall endpoint.
Traffic is transparently inspected by AWS Network
AWS Cloud 1 3 Firewall. Allowed traffic is sent back to the firewall
Inbound
10 endpoint.
E Internet Outbound According to the inspection subnet route table,
Region
Availability Zone 4 traffic is sent to the Application Load Balancer.
Internet gateway ingress route table As per the protected subnet route table, the
Protected VPC (10.0.0.0/16) 2 5 Application Load Balancer forwards the traffic to
Internet gateway Destination Target the target group (workload on Amazon EC2).
Firewall Subnet (10.0.1.0/28)
10.0.0.0/16 local Response traffic is returned back to the Application
D 6 Load Balancer according to the private subnet
3 8
10.0.0.0/24 vpce-id route table.
C 9
In accordance with the protected subnet route
AWS Network Firewall endpoint Inspection subnet route table 7 table, traffic is sent to the firewall endpoint.
Firewall 4 7 B Traffic is sent to AWS Network Firewall. Traffic
Destination Target
8 that complies with firewall rules is sent back to the
Protected Subnet (10.0.0.0/24) firewall endpoint.
10.0.0.0/16 local
As per the Inspection subnet route table, traffic is
0.0.0.0/0 igw-id 9 sent to the internet gateway.

Protected subnet route table Traffic is sent back to the internet.

Application Load NAT gateway 10
Balancer Destination Target
Traffic initiated from an instance and directed to
6
10.0.0.0/16 local A the internet is forwarded to the NAT gateway, in
accordance with private subnet route table.
Private Subnet (10.0.2.0/24)
0.0.0.0/0 vpce-id Source IP of traffic is changed to the IP of the NAT
5 A B gateway, and the traffic is forwarded to the
Private subnet route table firewall endpoint as per the protected subnet route
table.
Workload on Amazon EC2 Destination Target Traffic is sent to AWS Network Firewall for
C inspection. Traffic that complies with firewall rules
10.0.0.0/16 local is sent back to the firewall endpoint.
0.0.0.0/0 natgw-id According to inspection subnet route table, traffic
D is forwarded to the internet gateway.
Reviewed for technical accuracy March 16,
3rd,2022
2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Traffic is sent out to the internet.
E
Intra-VPC Inspection with AWS Network Firewall 1
Ingress traffic is routed directly to a public
workload: web servers or a load balancer.
Use the VPC routing enhancement to inspect intra-VPC traffic (between subnets of the same VPC) Traffic between the public subnet and
2
the application servers is inspected. It is
recommended that you place the
firewall endpoint in its own subnet
(“Firewall subnet”).

Internet When the inspection is done, allowed

Region 3 traffic is routed to the application
gateway
servers.
Protected VPC (10.0.0.0/16)
1 Outbound traffic to the internet from
4 the application servers: the packets are
Availability Zone A first sent to the firewall endpoint, and
6 5 the allowed traffic goes to the load
Public subnet route table Public subnet Firewall subnet balancer, web servers, or NAT gateway
10.0.0.0/24
6
10.0.3.0/28 before being sent to the internet.
Destination Target
10.0.0.0/16 vpce-id-az-a With VPC routing enhancement, any
A traffic between private subnets in the
NAT 2
0.0.0.0/0 igw-id ALB
gateway 5 3 B VPC can be first sent to the firewall
endpoint to inspect the traffic.
4
Private subnet route table (application) Private subnet (application)
You can add a more specific classless
10.0.1.0/24 C
Destination Target inter-domain routing (CIDR) block than
the default block in the routing tables to
10.0.0.0/16 vpce-id-az-a
A D select which inter-VPC traffic is
Amazon EC2 instance D Firewall endpoint
inspected.
(application) C
Private subnet route table (DB) Private subnet (DB)
10.0.2.0/24 Firewall subnet route table
Destination Target
B
Destination Target
10.0.0.0/16 vpce-id-az-a
10.0.0.0/16 local
For more information about Multi-AZ options or
0.0.0.0/0 natgw-id connectivity options using AWS Transit
Gateway, refer to: Deployment models for AWS
Reviewed for technical accuracy March 16,
3rd,2022
2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Network Firewall with VPC routing
enhancements.
 Any traffic leaving a spoke VPC is routed to

East-West Inspection with AWS Network Firewall

1 AWS Transit Gateway (TGW). The Transit
Gateway route table associated with the
VPCs and Transit Gateway peering forwards
Use AWS Transit Gateway to centralize the traffic inspection between several VPCs – both in the same Region, or the traffic to the Inspection VPC.
between Regions.
The Inspection VPC route table forwards all
2 the traffic to the firewall endpoint. The
allowed traffic is forwarded back to the
Spoke VPC A (10.1.0.0/16) AWS Transit Gateway Inspection VPC Transit Gateway.
(100.64.0.0/26) The Transit Gateway route table associated
Availability Zone A Pre-inspection route table 3 with the Inspection VPC attachment has all
Workload subnet TGW subnet Availability Zone A the routes within the network.
CIDR Attachment
10.1.1.0/24 10.1.0.0/24 TGW subnet - 100.64.0.0/28 In this particular example, the traffic is
D
1
TGW 0.0.0.0/0 Inspection VPC 4 destined to Spoke VPC B.
association
2
TGW route table
E Post-inspection route table In Spoke VPC B, the TGW subnet route table
Amazon EC2 Destination Target 5
TGW ENI
3 is routing the traffic to the destination
instance CIDR Attachment C 100.64.0.0/16 local instance.
Spoke VPC A route table 10.1.0.0/16 Spoke VPC TGW ENI Traffic from an instance in Spoke VPC B to
0.0.0.0/0 vpce-id A
Destination Target A Spoke VPC A first reaches the Transit
Firewall subnet Gateway endpoint in the TGW subnet. The
10.2.0.0/16 Spoke VPC
10.1.0.0/16 local TGW 4 100.64.0.16/28 traffic is routed to the Transit Gateway.
association B
0.0.0.0/0 tgw-id B The Transit Gateway route table sends the
10.3.0.0/16 Region B TGW
association B traffic to the Inspection VPC, where it is
peering
routed to the firewall endpoint for
Spoke VPC B (10.2.0.0/16) TGW C inspection.
peering Firewall endpoint
TGW
Availability Zone A TGW association
Inspection route table
Allowed traffic comes back to the Transit
association D Gateway. The route table associated with the
Workload subnet TGW subnet
Spoke VPC Destination Target Inspection VPC forwards the traffic to the
10.2.1.0/24 10.2.0.0/24 E Spoke VPC A.
AWS Transit Gateway
(10.3.0.0/16) 100.64.0.0/16 local
5
AWS Region B Workload subnet * It is recommended to use Transit Gateway appliance
A 0.0.0.0/0 tgw-id
Amazon EC2 10.3.1.0/24 mode in the Inspection VPC Transit Gateway attachment
instance TGW ENI to maintain flow symmetry.

EC2 instance
For more information about deployment
models with AWS Network Firewall and AWS
Reviewed for technical accuracy March 16,
3rd,2022
2022
AWS Reference Architecture Transit Gateway, refer to: Deployment Models
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
for AWS Network Firewall.
 Traffic from the instance in Spoke VPC A
1
North-South Inspection with AWS Network Firewall
destined to the internet is routed to the Transit
Gateway. The Transit Gateway route table
associated with the attachment sends all the
Use AWS Transit Gateway to centralize the traffic inspection from/to the Internet, or from/to on-prem facilities connected traffic (0.0.0.0/0) to the Inspection VPC.

via AWS Direct Connect or AWS Site-to-Site VPN. The Inspection VPC TGW subnet route table
2 sends all the traffic to the firewall endpoint.
The allowed traffic is forwarded back to the
Spoke VPC A route table
Transit Gateway.
Destination Target AWS Transit Gateway Inspection VPC (100.64.0.0/26)
The Transit Gateway route table associated
Spoke VPC A (10.1.0.0/16)10.1.0.0/16 local
Pre-inspection route table
2
Availability Zone A
3 with the Inspection VPC attachment has all the
TGW route table routes within the network.
0.0.0.0/0 tgw-id TGW subnet
Availability Zone A CIDR Attachment
100.64.0.0/28 Destination Target In this particular use case, as the traffic needs
0.0.0.0/0 Inspection VPC
Workload subnet TGW subnet 1
3 100.64.0.0/16 local 4 to be routed to the internet, the Transit
10.1.1.0/24 10.1.0.0/24 Gateway will forward the traffic to the Central
Post-inspection route table C 0.0.0.0/0 vpce-az-a-id
TGW D Egress VPC.
E association CIDR Attachment TGW ENI The TGW subnet route table of the Central
TGW Inspection route table
EC2 instance -
TGW ENI
10.1.0.0/16 Spoke VPC A association Firewall subnet
5 Egress VPC sends the traffic to the NAT
10.1.1.5 Destination Target
10.2.0.0/16 Region B Peering 100.64.0.16/28 gateway, so the private IP of the client can be
100.64.0.0/16 local translated to the private IP of the NAT gateway,
10.11.0.0/16 Central Ingress VPC and in turn, translated to the public IP by the
Spoke VPC (10.2.0.0/16) 0.0.0.0/0 tgw-id
192.168.0.0/16 Direct Connect internet gateway.
Gateway / VPN
Workload subnet TGW Firewall endpoint
10.2.1.0/24 association 0.0.0.0/0 Central Egress VPC Traffic coming from the internet reaches the
4
TGW route table A Central Ingress VPC. In this example, an
AWS Transit Gateway Application Load Balancer sends the request to
TGW Destination Target
AWS Region B association
Central Egress VPC (10.10.0.0/16) the target group of configured IP addresses
B
EC2 instance 10.10.0.0/16 local through the Transit Gateway.
Central Ingress VPC (10.11.0.0/16) Availability Zone A
TGW 10.0.0.0/8 tgw-id The traffic is forwarded to the Inspection VPC
Direct association TGW subnet Public subnet
TGW subnet - 10.10.0.0/28
B in accordance to the Pre-inspection route
Connect 10.11.0.0/28 10.11.1.0/24 0.0.0.0/0 nat-id
table in Transit Gateway.
gateway
TGW Transit As with the egress traffic, the Inspection VPC
Internet gateway
association
Target Group Type: IP
Gateway ENI C TGW subnet route table sends all the traffic to
TGW ENI Target: 10.1.0.5 ALB the firewall endpoint. Allowed traffic is
Public subnet – 10.10.1.0/24 Public route table
AWS Direct Connect AWS Site-to-Site VPN TGW route table Public route table D forwarded back to the Transit Gateway and
Destination Target subsequently to the destination VPC (Spoke
5 VPC A).
Destination Target Destination Target
A 10.10.0.0/16 local
10.11.0.0/16 local 10.11.0.0/16 local NAT gateway The Spoke VPC A route table sends the traffic
10.0.0.0/8 tgw-id E to the desired instance - 10.1.1.5.
On-premises – 192.168.0.0/16 10.0.0.0/8 tgw-id 10.0.0.0/8 tgw-id
0.0.0.0/0 Igw-id
0.0.0.0/0 Igw-id
Reviewed for technical accuracy March 16,
3rd,2022
2022 * It is recommended to use Transit Gateway appliance
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture mode in the Inspection VPC Transit Gateway
attachment to maintain flow symmetry.
 Traffic from an instance in Spoke VPC A
1
Combined Inspection with AWS Network Firewall
destined to another instance in Spoke VPC B
(East/West traffic) is routed to the Transit
Gateway.
Use AWS Transit Gateway to centralize the East/West inspection between VPCs, while you have a NAT gateway in the The Transit Gateway route table associated
Inspection VPC for centralized egress and the North/South inspection. 2 with the attachment sends all the traffic
(0.0.0.0/0) to the Inspection VPC.

The Inspection VPC TGW subnet route table

Spoke VPC A route table 3 sends all the traffic to the firewall endpoint.
Internet The allowed traffic is forwarded back to the
Destination Target
TGW ENI.
AWS Transit Gateway IGW
Spoke VPC A (10.1.0.0/16) 10.1.0.0/16 local
As per the Transit Gateway route table
Inspection VPC (100.64.0.0/26)
0.0.0.0/0 tgw-id Pre-Inspection route table 4 associated with the Inspection VPC, the traffic
Availability Zone A is sent to Spoke VPC B.
TGW
CIDR Attachment Availability Zone A E
Workload subnet TGW subnet association
10.1.1.0/24 10.1.0.0/24
Finally, in the TGW subnet route table of the
0.0.0.0/0 Inspection VPC Public subnet 5 Spoke VPC B, the traffic is sent to the
100.64.0.32/28 destination – 10.2.1.10.
1
Post-Inspection route table
Public subnet route table
CIDR Attachment TGW Traffic from an instance in Spoke VPC B
Instance - 10.1.1.5 TGW ENI association
NAT
Destination Target A destined to the internet (North/South traffic) is
10.1.0.0/16 Spoke VPC A gateway routed to the Transit Gateway.
100.64.0.0/16 local
D
Spoke VPC B route table 10.2.0.0/16 Spoke VPC B The Transit Gateway route table associated
Firewall subnet 10.0.0.0/8 vpce-az-a-id
Destination Target 192.168.0.0/ Direct Connect 100.64.0.16/28 B with the attachment sends all the traffic
192.168.0.0/16 vpce-az-a-id (0.0.0.0/0) to the Inspection VPC – same as in
16 Gateway / VPN
Spoke VPC B (10.2.0.0/16) 10.2.0.0/16 local the previous example.
0.0.0.0/0 Igw-id
0.0.0.0/0 tgw-id Firewall The Inspection VPC TGW subnet route table
Availability Zone A Firewall Subnet Route Table
4
endpoint
C
3 C sends all the traffic to the firewall endpoint,
TGW
Workload subnet TGW subnet
association
Destination Target where it is transparently analyzed.
10.2.1.0/24 10.2.0.0/24 TGW subnet
TGW 100.64.0.0/28 100.64.0.0/16 local
5 B Allowed traffic is sent to the NAT gateway as
TGW
association
10.0.0.0/8 tgw-id D per the Firewall subnet route table.
A association
Direct Connect 192.168.0.0/16 tgw-id
Instance - 10.2.1.10 TGW ENI 2 The private IP of the client is translated to the
Gateway
TGW ENI 0.0.0.0/0 nat-id E private IP of the NAT gateway, and in turn,
AWS Site-to-Site VPN translated to the public IP by the internet
TGW Subnet Route Table gateway.
AWS Direct Connect
Destination Target
* It is recommended to use Transit Gateway appliance
100.64.0.0/16 local mode in the Inspection VPC Transit Gateway
attachment to maintain flow symmetry.
0.0.0.0/0 vpce-az-a-id
On-premises –
Reviewed for technical accuracy March 16,
3rd,2022
2022 192.168.0.0/16 If you want to check an example of this architecture in
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Terraform, check: AWS Hub and Spoke Architecture
with an Inspection VPC.
 Traffic from an instance in Spoke VPC A
1
Multi-Region Inspection with AWS Network Firewall
destined to another instance in Spoke VPC B is
routed to the Transit Gateway in Region A as
per the Spoke VPC A route table.
When using AWS Transit Gateway to centralize your inspection and inter-Region peering between two AWS Regions, it is a
The Transit Gateway (Region A) route table
best practice to inspect the traffic in each AWS Region to avoid asymmetric traffic. 2 associated with the attachment (Pre-inspection
route table) sends all the traffic (0.0.0.0/0) to
the inspection VPC A.
Region A Spoke VPC A route Region B Spoke VPC B route
table table The inspection VPC A TGW subnet route table
Spoke VPC A Destination Target Inspection VPC A Inspection VPC B Destination Target Spoke VPC B
3 sends all the traffic to the firewall endpoint for
(10.1.0.0/16) (100.64.0.0/26)
transparent inspection.
10.1.0.0/16 local (100.64.1.0/26) 10.2.0.0/1 local (10.2.0.0/16)
6
The allowed traffic is forwarded back to the
Availability Zone A
0.0.0.0/0 tgw-id
Availability Zone A Availability Zone A 0.0.0.0/0 tgw-id Availability Zone A
4 TGW ENI.
Firewall subnet RT
Workload subnet Firewall subnet Firewall subnet Firewall subnet RT Workload subnet
10.1.0.0/24 Destination Target 100.64.0.16/28 100.64.1.16/28 10.2.0.0/24 As per the Transit Gateway (Region A) route
100.64.0.0/ local
Destination Target
5 table associated with the Inspection VPC A
100.64.1.0/ local
26
26 10 (Post-inspection route table), the traffic is sent
0.0.0.0/0 tgw-id 7
to Region B via the Transit Gateway peering.
0.0.0.0/0 tgw-id
Amazon EC2 Instance Firewall endpoint Firewall endpoint Amazon EC2 instance
TGW subnet RT As per the Transit Gateway (Region B) route
TGW subnet RT
TGW subnet
Destination Target
TGW subnet 3 TGW subnet TGW subnet 6 table associated with the Transit Gateway
10.1.1.0/28 100.64.0.0/28 100.64.1.0/28 Destination Target
10.2.1.0/28
100.64.0.0/ local
peering (Pre-inspection route table), the traffic
100.64.1.0/ local
26 TGW 26
is sent to the inspection VPC B for inspection.
0.0.0.0/0 vpce-az-a-id ENI
TGW 0.0.0.0/0 vpce-az-a-id
The inspection VPC B TGW subnet route table
TGW ENI 1
4
ENI 9 TGW ENI 7 sends all the traffic to the firewall endpoint for
8
transparent inspection.

TGW TGW 2 TGW 6 TGW

The allowed traffic is forwarded back to the
association association association
Association 8 TGW ENI.
AWS Transit Gateway AWS Transit Gateway
Region A Region B As per the Transit Gateway (Region B) route
Inter-Region
9 table associated with the inspection VPC A
Post-inspection route table TGW peering Postinspection route table (Post-inspection route table), the traffic is sent
Pre-inspection route table Pre-inspection route table
CIDR Attachment CIDR Attachment to Spoke VPC B.
CIDR Attachment CIDR Attachment
5
10.1.0.0/16 Spoke VPC A 10.1.0.0/16 TGW peering Traffic is forwarded to the destination – the
0.0.0.0/0 Inspection VPC 0.0.0.0/0 Inspection VPC 10 Amazon EC2 instance in Spoke VPC B.
10.2.0.0/16 TGW peering 10.2.0.0/16 Spoke VPC B
Peering
association Peering
association

* It is recommended to use Transit Gateway appliance

Reviewed for technical accuracy March 16,
3rd,2022
2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture mode in the Inspection VPC Transit Gateway
attachments to maintain flow symmetry.