Use of AWS Network Firewall for East West Scanning when using AWS Privatelink

Question

Hi, as the title says. AWS network firewall is in use for east west scanning between AWS accounts. Few services are being exposed from existing accounts to new AWS accounts using Privatelink endpoints. 
Question is, how to get east-west scanning working for accounts using Privatelink connection? Is it even possible.

Accepted Answer

Yes, this is possible. In a single VPC you would route traffic from the "source" subnet to a network Firewall endpoint (which would need to be in a second subnet) to the PrivateLink endpoint (in a third subnet). You need to ensure that the return routes follow the reverse path (PrivateLink->Network Firewall endpoint->original source subnet).

That said: What's the purpose for doing this? If the traffic is encrypted (which it should be as per best practice recommendations) then inspecting the traffic with Network Firewall isn't going to help much unless you're using the [ingress inspection feature](https://aws.amazon.com/about-aws/whats-new/2023/05/aws-network-firewall-ingress-tls-inspection-all-regions/) which assumes that you have the private keys (from the "far end" of the PrivateLink endpoint) - and if you have those then why use Network Firewall at all?

Use of AWS Network Firewall for East West Scanning when using AWS Privatelink

Contenido relevante