- Newest
- Most votes
- Most comments
More information on the architecture can help troubleshooting the issue.
To help troubleshoot this issue, try using Reachability Analyzer. Set the source eni from the source of the ICMP. To understand the return, repeat the same but using the Destination IP for your ICMP traffic as your source to check the return traffic. If you are using Gateway load balancer, the path if routing works right, will show you that GWLB endpoints but will bypass the firewall appliances.
Make sure you TGW is not crossing AZs when forwarding traffic to your FWs appliances by enabling Appliance mode for flow symmetry: https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/
Are you using a 3rd party vendor or AWS Network Firewall? Is this a new set up? If so, we have common configurations for some of 3rd party vendors in this workshop: https://catalog.workshops.aws/gwlb-networking/en-US
Relevant content
- asked a year ago
- asked a year ago
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 13 days ago