Service VPC questions

0

I have the following topology Enter image description here

I tried to use the firewall in Service VPC to inspect the traffic between Server VPC and Web VPC. I configured a TGW RT with Server VPC and Web VPC attachments and a default route with Service VPC as the target. Also I configured 2 VPC Route tables. Untrust Route table associated with TGW and Untrust subnets has a default route with eth0 as the target. Trust Route table associated with Trust subnet has a default route with Service VPC as the target. Unfortunately it did not work. I watched the traffic towards eth0 and saw nothing. I have a demo configuration which works. The only difference is the demo one does not have HOP VPC. Do you think the VPC peering betwee HOP VPC and Service VPC causes the issue.

I did the same topology in Azure and it worked. But Azure does not have TGW.

thanks a lot in advance !!

질문됨 3달 전234회 조회
6개 답변
1
수락된 답변

Hi,

I think that you want to give a detailled read at this guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/inline-traffic-inspection-third-party-appliances/vpc-to-vpc-traffic-inspection.html

It details how to do VPC-to-VPC traffic inspection, which you can do to achieve your goal between the Firewall VPC and the VPC(s) in the background.

Best,

Didier

profile pictureAWS
전문가
답변함 3달 전
profile picture
전문가
검토됨 3달 전
profile picture
전문가
검토됨 3달 전
  • Hi Gongya, thanks for accepting my answer. Didier

1

Do you know if your Firewall supports GENEVE protocol? To support this architecture, I suggest you to explore using Gateway Load Balancer for VPC-to-VPC inspection in your service VPC. Check this workshop which has also different examples for different Firewall vendors: https://catalog.workshops.aws/gwlb-networking/en-US.

You can use the tool reachability analyzer to analyze the route of traffic from Server to Web, also repeat the same to check the traffic route from Web to Server. Ensure they both take symmetric route for return so you exclude the additional peering from causing any complexity.

Let me know if you have any questions on this architecture.

profile pictureAWS
전문가
답변함 3달 전
profile picture
전문가
검토됨 3달 전
profile picture
전문가
검토됨 3달 전
0

I am very new to AWS. Not use those tools yet. I know my question is hard to describe. I am learning how to use a service VPC for traffic inspection. I will check what you suggested.

I compared the demo and my configuration and could not find any difference except that the demo does not use Hop VPC, instead each device is configured with a public IP for remote access.

thanks so much !!

답변함 3달 전
0

What does this mean ? Because the appliance VPC attachment has appliance mode turned on

답변함 3달 전
0

I figured it out

답변함 3달 전
0

Very frustrating! The demo does not have Appliance Mode enabled. Our prod does not have Appliance Mode enabled either. The Demo has two route tables Trust route table has a default route targeting transit gateway Service VPC attachment Untrust route table has a default route targeting Appliance interface The Transit gateway service route table has both client and server association and a default route targeting service VPC attachment.

The demo works fine.

But I did the same way in my lab with same topology and no luck. No packets are directed to Appliance interface.

답변함 3달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠