Service VPC questions

0

I have the following topology Enter image description here

I tried to use the firewall in Service VPC to inspect the traffic between Server VPC and Web VPC. I configured a TGW RT with Server VPC and Web VPC attachments and a default route with Service VPC as the target. Also I configured 2 VPC Route tables. Untrust Route table associated with TGW and Untrust subnets has a default route with eth0 as the target. Trust Route table associated with Trust subnet has a default route with Service VPC as the target. Unfortunately it did not work. I watched the traffic towards eth0 and saw nothing. I have a demo configuration which works. The only difference is the demo one does not have HOP VPC. Do you think the VPC peering betwee HOP VPC and Service VPC causes the issue.

I did the same topology in Azure and it worked. But Azure does not have TGW.

thanks a lot in advance !!

已提問 3 個月前檢視次數 234 次
6 個答案
1
已接受的答案

Hi,

I think that you want to give a detailled read at this guidance: https://docs.aws.amazon.com/prescriptive-guidance/latest/inline-traffic-inspection-third-party-appliances/vpc-to-vpc-traffic-inspection.html

It details how to do VPC-to-VPC traffic inspection, which you can do to achieve your goal between the Firewall VPC and the VPC(s) in the background.

Best,

Didier

profile pictureAWS
專家
已回答 3 個月前
profile picture
專家
已審閱 3 個月前
profile picture
專家
已審閱 3 個月前
  • Hi Gongya, thanks for accepting my answer. Didier

1

Do you know if your Firewall supports GENEVE protocol? To support this architecture, I suggest you to explore using Gateway Load Balancer for VPC-to-VPC inspection in your service VPC. Check this workshop which has also different examples for different Firewall vendors: https://catalog.workshops.aws/gwlb-networking/en-US.

You can use the tool reachability analyzer to analyze the route of traffic from Server to Web, also repeat the same to check the traffic route from Web to Server. Ensure they both take symmetric route for return so you exclude the additional peering from causing any complexity.

Let me know if you have any questions on this architecture.

profile pictureAWS
專家
已回答 3 個月前
profile picture
專家
已審閱 3 個月前
profile picture
專家
已審閱 3 個月前
0

I am very new to AWS. Not use those tools yet. I know my question is hard to describe. I am learning how to use a service VPC for traffic inspection. I will check what you suggested.

I compared the demo and my configuration and could not find any difference except that the demo does not use Hop VPC, instead each device is configured with a public IP for remote access.

thanks so much !!

已回答 3 個月前
0

What does this mean ? Because the appliance VPC attachment has appliance mode turned on

已回答 3 個月前
0

I figured it out

已回答 3 個月前
0

Very frustrating! The demo does not have Appliance Mode enabled. Our prod does not have Appliance Mode enabled either. The Demo has two route tables Trust route table has a default route targeting transit gateway Service VPC attachment Untrust route table has a default route targeting Appliance interface The Transit gateway service route table has both client and server association and a default route targeting service VPC attachment.

The demo works fine.

But I did the same way in my lab with same topology and no luck. No packets are directed to Appliance interface.

已回答 3 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南