Service VPC questions

0

I have the following topology Enter image description here

I tried to use the firewall in Service VPC to inspect the traffic between Server VPC and Web VPC. I configured a TGW RT with Server VPC and Web VPC attachments and a default route with Service VPC as the target. Also I configured 2 VPC Route tables. Untrust Route table associated with TGW and Untrust subnets has a default route with eth0 as the target. Trust Route table associated with Trust subnet has a default route with Service VPC as the target. Unfortunately it did not work. I watched the traffic towards eth0 and saw nothing. I have a demo configuration which works. The only difference is the demo one does not have HOP VPC. Do you think the VPC peering betwee HOP VPC and Service VPC causes the issue.

I did the same topology in Azure and it worked. But Azure does not have TGW.

thanks a lot in advance !!

feita há 3 meses231 visualizações
6 Respostas
1
Resposta aceita

Hi,

I think that you want to give a detailled read at this guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/inline-traffic-inspection-third-party-appliances/vpc-to-vpc-traffic-inspection.html

It details how to do VPC-to-VPC traffic inspection, which you can do to achieve your goal between the Firewall VPC and the VPC(s) in the background.

Best,

Didier

profile pictureAWS
ESPECIALISTA
respondido há 3 meses
profile picture
ESPECIALISTA
avaliado há 2 meses
profile picture
ESPECIALISTA
avaliado há 2 meses
  • Hi Gongya, thanks for accepting my answer. Didier

1

Do you know if your Firewall supports GENEVE protocol? To support this architecture, I suggest you to explore using Gateway Load Balancer for VPC-to-VPC inspection in your service VPC. Check this workshop which has also different examples for different Firewall vendors: https://catalog.workshops.aws/gwlb-networking/en-US.

You can use the tool reachability analyzer to analyze the route of traffic from Server to Web, also repeat the same to check the traffic route from Web to Server. Ensure they both take symmetric route for return so you exclude the additional peering from causing any complexity.

Let me know if you have any questions on this architecture.

profile pictureAWS
ESPECIALISTA
respondido há 3 meses
profile picture
ESPECIALISTA
avaliado há 2 meses
profile picture
ESPECIALISTA
avaliado há 2 meses
0

I am very new to AWS. Not use those tools yet. I know my question is hard to describe. I am learning how to use a service VPC for traffic inspection. I will check what you suggested.

I compared the demo and my configuration and could not find any difference except that the demo does not use Hop VPC, instead each device is configured with a public IP for remote access.

thanks so much !!

respondido há 3 meses
0

What does this mean ? Because the appliance VPC attachment has appliance mode turned on

respondido há 3 meses
0

I figured it out

respondido há 3 meses
0

Very frustrating! The demo does not have Appliance Mode enabled. Our prod does not have Appliance Mode enabled either. The Demo has two route tables Trust route table has a default route targeting transit gateway Service VPC attachment Untrust route table has a default route targeting Appliance interface The Transit gateway service route table has both client and server association and a default route targeting service VPC attachment.

The demo works fine.

But I did the same way in my lab with same topology and no luck. No packets are directed to Appliance interface.

respondido há 3 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas