How do I set up Amazon VPC ingress routing with a stateless network appliance?

I want to implement a network topology where I can set an ingress route on the internet gateway to pass through a security appliance. I still want the destination subnet behind the appliance to have a direct route to the internet gateway. I need the appliance to see only the ingress traffic (requests) and not the other direction. I did some basic testing and found that this topology doesn't work. For example, connections initiated from the subnet behind the appliance can't reach the internet. How do I configure this routing?