- Newest
- Most votes
- Most comments
Your architecture is a good approach. Customers can enable fully meshed routing to the TGW, and then use the NACLs on the subnet where the ENI lives to limit what can access that VPC, assuming as you say, dedicated subnets for the TGW ENI.
You can also use the other option of adding an intermediate security (also know as inspection or appliances) VPC to inspect traffic.
A third option might be to have a look at what firewall manager can do for you, to centrally configure security groups. The only hesitation i have there is that you then end up shifting all your SG configuration centrally, and that in turn may not suit development environments.
Certainly, your suggestion is definitely a manageable one, but i would encourage the customer to be clear about IP CIDR range allocation, and not make life hard for themselves. There are limits to entries in NACLs and you don't want to get to the point where you have to permit/deny many ranges....ideally if its a bank, maybe they could align their ranges with either security level, or business unit, and put the high level control in that way!
Relevant content
- asked a year ago
- Accepted Answerasked 9 months ago
- Accepted Answerasked 5 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago