- Newest
- Most votes
- Most comments
As I understood from your notes that you have multiple VPC attached with Transit Gateway and you have inspection VPC where Palo Alto firewalls are deployed for traffic inspection however your design is not working as expected. One of the reasons could be the stateful Inspection in firewall which doesn’t support the asymmetric routing and by default transit gateway maintain the zone affinity which makes the traffic asymmetric. To overcome this when you configure the centralize inspection using Transit Gateway you need to enable the "Appliance Mode" in transit Gateway.
When appliance mode is enabled, a transit gateway selects a single network interface in the appliance VPC, using a flow hash algorithm, to send traffic to for the life of the flow. The transit gateway uses the same network interface for the return traffic. This ensures that bidirectional traffic is routed symmetrically it's routed through the same Availability Zone in the VPC attachment for the life of the flow. If you have multiple transit gateways in your architecture, each transit gateway maintains its own session affinity, and each transit gateway can select a different network interface.
https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
Try this out and let me know if it works.
Thanks Abhishek, I will check this option and get back to you here however it seems we are not enabled the appliance mode.
Relevant content
- Accepted Answerasked 5 years ago
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
