- Newest
- Most votes
- Most comments
Yes, the sequence you've provided appears correct. The traffic flow in this scenario would proceed as follows:
- The request is sent to the AWS Transit Gateway (TGW) from the Dev VPC VM.
- Based on the TGW route table, the traffic is routed to the Firewall (FW) appliance in the inspection VPC for DNS port inspection.
- Once inspected, the request is forwarded to the Prod DNS server in the Prod VPC for DNS resolution.
- The DNS response then returns via the TGW and inspection VPC.
- Finally, the traffic exits through the Internet Gateway to access the requested resource.
This setup allows the firewall to inspect all DNS requests, ensuring DNS resolution occurs securely while maintaining your security policies.
Yes, you should enable appliance mode on the TGW attachment to the inspection VPC. This is necessary to maintain symmetry for east/west traffic flows that cross availability zones. Without appliance mode, such flows would be dropped.
Take a look at section 2 in this blog post for a detailed explanation of appliance mode and the problem that it is intended to solve.
Thanks, i was checking because i am doing egress inspection. And the blog you shared is east-west inspection?
The DNS traffic flow that you described between the Prod VPC and the Dev VPC is east/west traffic. Appliance mode would be needed whenever you are inspecting inter-VPC traffic.
Relevant content
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
Do i need appliance mode enable in this case for the TGW attachment connecting to Inspection VPC ?