How to set transit gateway as Target for the default route “local” route for for inter-subnet (east-west) inspection through firewall deployed in separate networking account

Question

Dear All,

We have different workload accounts and centralize networking account where we have deployed AWS network firewall for inter-subnet (east-west) traffic inspection. We would like to have the centralize firewall for east-west traffic for all accounts and each subnet within VPC should go to transit gateway and then to firewall (inspection of east-west) deployed in networking  account.

Kindly guide how to route the default local route (like 10.0.0.0/16) to transit gateway. Is it supported?

I have tried to set the transit gateway eni (network interface) as a target for default route

Answer

You can not route traffic between different subnets of a single VPC via TGW and inspection VPC.

For your use-case you can use the VPC MSR (more specific routing) feature to steer the traffic via ANFW, see the below blog (see the pattern: "AWS Network Firewall is deployed to protect traffic between two different subnets in the same VPC.")

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/

Answer

Hi Tushar,

Thank you for responding. I have reviewed the articles, and they focus on east-west traffic inspection between VPCs. However, in our scenario, we intend to route different subnets of a single VPC through the firewall. The firewall is deployed in the network account and connected via a transit gateway.

Answer

Hi,

So to route  the traffic between different subnets of a single VPC, a AWS network firewall in each VPC needs to deploy?

We can not have a centralized AWS network firewall for traffic inspection of subnets in same VPC.

How to set transit gateway as Target for the default route “local” route for for inter-subnet (east-west) inspection through firewall deployed in separate networking account

Relevant content