How to set transit gateway as Target for the default route “local” route for for inter-subnet (east-west) inspection through firewall deployed in separate networking account

Hi Yossef, check out this architecture, this is what you are trying to achieve:

https://d2908q01vomqb2.cloudfront.net/5b384ce32d8cdef02bc3a139d4cac0a22bb029e8/2020/11/19/index1.png

Also check the routing tables in regard to your question.

Basically you specify 0.0.0.0/0 -> TGW in each Spoke VPC.

Then in TGW, you have normally 2 Routetables.

One "spoke-routetable" for all spoke tgw attachments, and one "security-routetable" for the inspection-vpc-tgw-attachment.

In the spoke routetable, you specify default route of 0.0.0.0/0 to the inspection-vpc-tgw-attachment.

In the security-routetable of the tgw, you attach the inspection-vpc-tgw attachment and add routes for all spoke-vpc-cidrs.

In this linked example, you would add a route inside the inspection-vpc route table to the transit gateway for RFC1918-cidrs (or 0.0.0.0/0 if separated from egress vpc) Sincerely Heiko

Depends on your architecture. Having multi account doesn't change in the architecture except you need to connect their VPC to the transit Gateway attachments on the central Transit Gateway. However, down to the route table, that doesn't change how routing is achieved. When you say inter-subnet, I take that as your firewall inspection endpoint is within the VPC. You can achieve this without the need for Transit gateway by placing a Firewall endpoint in a dedicated subnet which knows how to route locally (10.0.0.0/16) within the VPC. I assumed that 10.0.0.0/16 is the CIDR for one of the VPCs.

• On the workload subnet, you might not be able to change the default local route. So you can test splitting the VPC CIDR into two routes to add a more specific route to your table. Something like:

1. 10.0.0.0/17 -> to FW endpoint
2. 10.0.128.0/17 -> to FW endpoint

However, The example above will not work unless, the destination subnet has exact IPv4 subnet of ex:10.0.0.0/17. So use the exact Subnets firewall routes to point to the Firewall endpoint, then the route will consider the most specific route instead of the default local routes.

Rules and considerations You can add a route to your route tables that is more specific than the local route. The destination must match the entire IPv4 or IPv6 CIDR block of a subnet in your VPC. The target must be a NAT gateway, network interface, or Gateway Load Balancer endpoint.

Could worth testing if you can route the same to TGW instead of the endpoint and have the inspection VPC receive the route before it routes it back to the original VPC and landing to the destination subnet within the same VPC. Your architecture will look like the Figure 7 in this blog: https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/ but with more detailed routing. If I'm off from what you are trying to achieve, please add a comment and I will check this back.