How do I confirm a route table is using a network firewall, opposed to just showing it's using a vpc endpoint?


I'm writing a custom config rule to determine if there's an network firewall in the VPC. In order to confirm it's being used I was informed I needed to check the route tables.

There's one issue I'm having. When I make a describe_route_tables call it returns the Routes, in the routes it has the "GatewayId:": "Vpce-<number>). The Vpce-<number> is my network firewall attached as a vpcendpoitn in the route table. Indicating that the route is going to my vpcendpoint/network firewall, which is good.

However, it doesn't actually indicate this is a network firewall. If the config rule checks and confirms there's a network firewall in the VPC, it then goes on to check that the network firewall is being used, this could potential return a false positive. In the case where a Network Firewall is attached to the VPC and then there's another endpoint that is NOT a network firewall that also has the prefix vpce.

Is there a way to identify the vpce(network firewall) by the actual eni? Opposed to gateway id? I was thinking if I can call a describe_vpc_endpoints and then return the vpc endpoint Id and see if that matches the gateway id. I'm not sure if this is an option.

Is there any solutions anyone has in mind for this problem?

1 Answer

Just realized there's an attribute for "VpcEndpointId" in the describe-vpc-endpoints call.

This may be able to solve my issue. I will test this first.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions