egress inspection Firewall appliance

0

Dear Team - Can someone help with below scenario guidance.

Our Bind DNS Services is running on AWS Virtual Machine in Prod VPC. We have another Linux VM running in dev VPC. Both the VPCs are attached to the AWS Transit Gateway. In that attachment, route table is pointing all traffic to inspection VPC where our Appliance FW is running behind Aws gateway load balancer.

Now, if i send request for google.com from Dev VPC VM, how the traffic flow would be? Is below correct order ?

1 - First request will go to TGW
2- Request will go to Appliance FW to inspect DNS port
3- It will go for DNS resolution on Prod DNS Server on Prod VPC
4- Again it will come to TGW and appliance VPC
5- Internet Gateway

3 Answers
1
Accepted Answer

Yes, the sequence you've provided appears correct. The traffic flow in this scenario would proceed as follows:

  1. The request is sent to the AWS Transit Gateway (TGW) from the Dev VPC VM.
  2. Based on the TGW route table, the traffic is routed to the Firewall (FW) appliance in the inspection VPC for DNS port inspection.
  3. Once inspected, the request is forwarded to the Prod DNS server in the Prod VPC for DNS resolution.
  4. The DNS response then returns via the TGW and inspection VPC.
  5. Finally, the traffic exits through the Internet Gateway to access the requested resource.

This setup allows the firewall to inspect all DNS requests, ensuring DNS resolution occurs securely while maintaining your security policies.

answered 10 days ago
profile picture
EXPERT
reviewed 9 days ago
  • Do i need appliance mode enable in this case for the TGW attachment connecting to Inspection VPC ?

1

Yes, you should enable appliance mode on the TGW attachment to the inspection VPC. This is necessary to maintain symmetry for east/west traffic flows that cross availability zones. Without appliance mode, such flows would be dropped.

Take a look at section 2 in this blog post for a detailed explanation of appliance mode and the problem that it is intended to solve.

AWS
answered 10 days ago
  • Thanks, i was checking because i am doing egress inspection. And the blog you shared is east-west inspection?

1

The DNS traffic flow that you described between the Prod VPC and the Dev VPC is east/west traffic. Appliance mode would be needed whenever you are inspecting inter-VPC traffic.

AWS
answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions