Service VPC questions

0

I have the following topology Enter image description here

I tried to use the firewall in Service VPC to inspect the traffic between Server VPC and Web VPC. I configured a TGW RT with Server VPC and Web VPC attachments and a default route with Service VPC as the target. Also I configured 2 VPC Route tables. Untrust Route table associated with TGW and Untrust subnets has a default route with eth0 as the target. Trust Route table associated with Trust subnet has a default route with Service VPC as the target. Unfortunately it did not work. I watched the traffic towards eth0 and saw nothing. I have a demo configuration which works. The only difference is the demo one does not have HOP VPC. Do you think the VPC peering betwee HOP VPC and Service VPC causes the issue.

I did the same topology in Azure and it worked. But Azure does not have TGW.

thanks a lot in advance !!

gongya
asked 2 months ago209 views
6 Answers
1
Accepted Answer

Hi,

I think that you want to give a detailled read at this guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/inline-traffic-inspection-third-party-appliances/vpc-to-vpc-traffic-inspection.html

It details how to do VPC-to-VPC traffic inspection, which you can do to achieve your goal between the Firewall VPC and the VPC(s) in the background.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Hi Gongya, thanks for accepting my answer. Didier

1

Do you know if your Firewall supports GENEVE protocol? To support this architecture, I suggest you to explore using Gateway Load Balancer for VPC-to-VPC inspection in your service VPC. Check this workshop which has also different examples for different Firewall vendors: https://catalog.workshops.aws/gwlb-networking/en-US.

You can use the tool reachability analyzer to analyze the route of traffic from Server to Web, also repeat the same to check the traffic route from Web to Server. Ensure they both take symmetric route for return so you exclude the additional peering from causing any complexity.

Let me know if you have any questions on this architecture.

profile pictureAWS
EXPERT
AmerO
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

I am very new to AWS. Not use those tools yet. I know my question is hard to describe. I am learning how to use a service VPC for traffic inspection. I will check what you suggested.

I compared the demo and my configuration and could not find any difference except that the demo does not use Hop VPC, instead each device is configured with a public IP for remote access.

thanks so much !!

gongya
answered 2 months ago
0

What does this mean ? Because the appliance VPC attachment has appliance mode turned on

gongya
answered 2 months ago
0

I figured it out

gongya
answered 2 months ago
0

Very frustrating! The demo does not have Appliance Mode enabled. Our prod does not have Appliance Mode enabled either. The Demo has two route tables Trust route table has a default route targeting transit gateway Service VPC attachment Untrust route table has a default route targeting Appliance interface The Transit gateway service route table has both client and server association and a default route targeting service VPC attachment.

The demo works fine.

But I did the same way in my lab with same topology and no luck. No packets are directed to Appliance interface.

gongya
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions