How do I send traffic between my transit gateway VPC attachments using a firewall instance?

Last updated: 2021-01-08

I need to configure communication between my virtual private clouds (VPCs) in Amazon Virtual Private Cloud (Amazon VPC). Traffic between VPC-A and VPC-C must be routed to a firewall instance in VPC B for traffic inspection. Then, traffic must be sent to the destination VPC using transit gateway. How can I do this?

Resolution

  1. Create a transit gateway.
    Important: Disable the default association route table and propagation route table setting when creating your transit gateway. A default route table is created after the transit gateway is available.
  2. Attach your VPCs to your transit gateway.
    Important: While creating the transit gateway VPC attachment for the VPC that has the firewall instance (VPC B in this case), don't choose the same subnet as the firewall instance.
  3. Create a new transit gateway route table.
  4. Create associations as follows:
    In the default transit gateway route table, associate the transit gateway VPC attachments of the VPCs that must communicate with each other.
    In the new transit gateway route table that you created in step 3, associate the transit gateway VPC attachment of the VPC that has the firewall instance.
  5. Create propagations. In the transit gateway route table, enable propagation for the source and destination VPC attachments that must communicate with each other.
  6. Create static routes on the transit gateway route table. In the default transit gateway route table, create static routes for the source VPC CIDR and destination VPC CIDR. Set the target as the firewall VPC transit gateway attachment ID.
  7. Add a route in the VPC route tables. In the appropriate VPC subnet route tables, add a route for the destination VPC with the target set as the transit gateway ID.
  8. In the firewall VPC (in this case, VPC-B), confirm that different route tables are used for the following:
    The firewall Amazon Elastic Compute Cloud (Amazon EC2) subnet, and
    The subnets associated with the VPC-B transit gateway VPC attachment
  9. In the firewall Amazon EC2 subnet route table, add routes for the source and destination VPC CIDR blocks. Set the target as the transit gateway ID.
  10. In the VPC route tables of the firewall VPC subnets associated with the transit gateway VPC attachment, add routes for the source and destination VPC CIDR blocks. Set the target as the firewall instance ENI.
  11. Confirm that the security groups and network access control lists (ACLs) in the VPCs are configured to allow connectivity between the source and destination IP addresses.

Did this article help?


Do you need billing or technical support?