Seeking Advice on AWS Direct Connect - Firewall Setup


Hello everyone, I need some advice on our current setup, which is based on a Hub & Spoke architecture in AWS. Our setup involves: - Utilizing Direct Connect via a transit VIF in the central Network account. - Sharing the DX connection with multiple spoke VPCs on different AWS accounts within our organization through a Transit Gateway.

We have a security requirement to inspect all the Direct Connect traffic by passing it through a firewall in AWS. Our main idea is to deploy an AWS firewall or a third-party solution like a Palo Alto VM in the Central network account to monitor all inbound and outbound traffic.

I would greatly appreciate your insights and guidance on whether this setup is the best approach. If you can provide any documentation links, best practices, or personal experiences related to this kind of setup, it would be incredibly helpful.

Thank you in advance for your assistance!

2 Answers
Accepted Answer

Funnily enough, I was reviewing that kind of setup today. Please take a look at

The deployment model: 2) North-South: Centralized on-premises egress & ingress via Transit Gateway and Transit VIF/Direct Connect gateway/AWS Site-to-Site VPN seems to be what you are looking for.

This way all traffic from On Prem VIA DX will use the TGW Route table to send all traffic via an inspection VPC. After passing through AWS or 3rd Party firewall, the traffic is passed back to TGW to route to the correct VPCs etc

profile picture
answered 6 months ago
profile pictureAWS
reviewed 6 months ago
  • Thank you for your response Gary! I will take a look at the link and get back to you incase of any questions. Thanks again.


Are you considering using Gateway Load Balancer in your architecture? This will simplify the architecture and routing design for your inspection VPC.

You can also check this blog which discusses Hybrid Inspection Architecture which can apply to both Gateway Load Balancer and AWS Firewall:

If you are considering deploying gateway load balancer endpoints using Geneve protocol, you can review this Gateway Load Balancer Workshop which deploys Palo Alto in an inspection VPC:

profile pictureAWS
answered 6 months ago
  • Thank you for your response Amer! Yes, we are indeed considering using Gateway Load Balancer in our architecture to achieve high availability for the firewall. This approach seems promising in simplifying our routing design. I appreciate the links you provided, The Gateway Load Balancer Workshop deploying Palo Alto in an inspection VPC looks interesting. I'll definitely take a closer look at it to see how it aligns with our requirements. If you have any more insights or tips related to our setup, please feel free to share. Thanks again!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions