- 新しい順
- 投票が多い順
- コメントが多い順
Yes, the sequence you've provided appears correct. The traffic flow in this scenario would proceed as follows:
- The request is sent to the AWS Transit Gateway (TGW) from the Dev VPC VM.
- Based on the TGW route table, the traffic is routed to the Firewall (FW) appliance in the inspection VPC for DNS port inspection.
- Once inspected, the request is forwarded to the Prod DNS server in the Prod VPC for DNS resolution.
- The DNS response then returns via the TGW and inspection VPC.
- Finally, the traffic exits through the Internet Gateway to access the requested resource.
This setup allows the firewall to inspect all DNS requests, ensuring DNS resolution occurs securely while maintaining your security policies.
Yes, you should enable appliance mode on the TGW attachment to the inspection VPC. This is necessary to maintain symmetry for east/west traffic flows that cross availability zones. Without appliance mode, such flows would be dropped.
Take a look at section 2 in this blog post for a detailed explanation of appliance mode and the problem that it is intended to solve.
Thanks, i was checking because i am doing egress inspection. And the blog you shared is east-west inspection?
The DNS traffic flow that you described between the Prod VPC and the Dev VPC is east/west traffic. Appliance mode would be needed whenever you are inspecting inter-VPC traffic.
関連するコンテンツ
- 質問済み 2ヶ月前
- 質問済み 7年前
- AWS公式更新しました 4ヶ月前
- AWS公式更新しました 2年前
- AWS公式更新しました 8ヶ月前
Do i need appliance mode enable in this case for the TGW attachment connecting to Inspection VPC ?