By using AWS re:Post, you agree to the Terms of Use
/Routing VPC to VPC traffic through an on-prem firewall via Transit Gateway/

Routing VPC to VPC traffic through an on-prem firewall via Transit Gateway

0

A customer is trying to setup VPC to VPC routing through their on-prem firewall over TGW. The desired behavior is that traffic from VPC-A will route through the on-prem firewall to get to VPC-B. With the current setup, the traffic routes from VPC-A to VPC-B without making it to the on-prem firewall. When we perform a traceroute, the 2nd hop in the path is a 169.254.x.x address, which I believe may be the DXGW or something similar. I can replicate the same behavior If I have a 0.0.0.0 route defined to a nat gateway as well, but in that case the 2nd hop is the nat gateway address. The customer POC setup is as follows:

VPC-A - 10.0.0.0/24
VPC-B - 10.0.1.0/24
DXGW connected to DX via TVIF

VPC-A-Route-Table Routes
10.0.0.0/24, local
0.0.0.0, TGW

VPC-B-Route-Table Routes
10.0.1.0/24, local
0.0.0.0, TGW

TGW -VPC-Traffic route table
associations:
VPC-A
VPC-B

Propagations:
DXGW

Routes:
On-Prem routes, propagated
0.0.0.0/0, DXGW attachment, static

TGW - On-prem traffic route table Associations:
DXGW

Propagations:
VPC-A
VPC-B

Routes:
10.0.0.0/24
10.0.1.0/24

I believe we are missing an explicit route to tell traffic to use the on-prem firewall for routing of VPC to VPC traffic, but I am not exactly sure of the best place to configure that in this scenario.

1 Answers
0
Accepted Answer

The problem you are hitting is at DXGW. Since same DXGW is being used for egress/ingress path. DXGW can not allow you to route traffic for destination that is advertised from AWS side.

You need to separate the egress path and ingress path. Possible options are 1) two separate DXGW paths, 2) one DXGW (egress) with one VPN(ingress) or vice versa, 3) two VPN connections (egress, ingress).

At the same time I would advise customer to not do it as it is suboptimal routing, creates delay, dependency for intra region traffic on external connectivity. It is recommended to do that inspection via Inspection VPC which inspects the inter VPC traffic. You can use AWS Network Firewall or 3rd party firewalls in the inspection VPC.

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions