- Newest
- Most votes
- Most comments
Hi,
I think that you want to give a detailled read at this guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/inline-traffic-inspection-third-party-appliances/vpc-to-vpc-traffic-inspection.html
It details how to do VPC-to-VPC traffic inspection, which you can do to achieve your goal between the Firewall VPC and the VPC(s) in the background.
Best,
Didier
Do you know if your Firewall supports GENEVE protocol? To support this architecture, I suggest you to explore using Gateway Load Balancer for VPC-to-VPC inspection in your service VPC. Check this workshop which has also different examples for different Firewall vendors: https://catalog.workshops.aws/gwlb-networking/en-US.
You can use the tool reachability analyzer to analyze the route of traffic from Server to Web, also repeat the same to check the traffic route from Web to Server. Ensure they both take symmetric route for return so you exclude the additional peering from causing any complexity.
Let me know if you have any questions on this architecture.
I am very new to AWS. Not use those tools yet. I know my question is hard to describe. I am learning how to use a service VPC for traffic inspection. I will check what you suggested.
I compared the demo and my configuration and could not find any difference except that the demo does not use Hop VPC, instead each device is configured with a public IP for remote access.
thanks so much !!
What does this mean ? Because the appliance VPC attachment has appliance mode turned on
Very frustrating! The demo does not have Appliance Mode enabled. Our prod does not have Appliance Mode enabled either. The Demo has two route tables Trust route table has a default route targeting transit gateway Service VPC attachment Untrust route table has a default route targeting Appliance interface The Transit gateway service route table has both client and server association and a default route targeting service VPC attachment.
The demo works fine.
But I did the same way in my lab with same topology and no luck. No packets are directed to Appliance interface.
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
Hi Gongya, thanks for accepting my answer. Didier