How to put VPC attachment of core network into appliance mode when using AWS Cloud WAN
About AWS CloudWAN. I cannot figure out how to put VPC attachment of core network into appliance mode. If i want to do inspection for either ingress or east-west traffic, i would need that to make traffic symmetric.
Icon is transit gateway but for this discussion, it should be considered as Core Network Edge with transit gateway, i'd set the bottom VPC attachment into Appliance mode. inspection depicted here is AWS network firewall but it's also just to show the question. It might be gwlb with NVA or just NVAs.
- Newest
- Most votes
- Most comments
Hi Fabio,
The TGW Appliance mode is applied to a specific 'Attachment ID'. Using CloudShell (currently this can only be enabled via CLI and not GUI) you can use below command to enable it for the VPC attachment that connects to the Inspection VPC.
Example command:
aws ec2 modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id tgw-attach-xxxxX12345 --options ApplianceModeSupport=enable
Refer: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-transit-gateway-vpc-attachment.html
Please note: CloudWAN does not natively support Appliance mode (yet)
Hi Fabio,
You don't need to enable appliance mode on the attachment for the ingress/egress inspection VPC. Appliance mode is intended to be used for the the east/west inspection VPC, to maintain AZ symmetry for both the forward and return traffic flows between two VPCs.
- This blog post covers the centralized egress architecture with Cloud WAN https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-outbound-inspection-architecture-in-aws-cloud-wan/ - no appliance mode needed.
- This blog post covers the Cloud WAN setup for east/west (or VPC-to-VPC) inspection https://aws.amazon.com/blogs/networking-and-content-delivery/inspecting-network-traffic-between-amazon-vpcs-with-aws-cloud-wan/ , and details the Appliance mode setting.
Relevant content
- asked a year ago
- Accepted Answerasked 4 years ago
- asked 2 years ago
AWS OFFICIALUpdated 23 days ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
For people who comes to this link, now Transit Gateway Appliance Mode can be configured via AWS CLI and AWS Console. Also CloudWAN now supports Appliance Mode configuration. https://aws.amazon.com/about-aws/whats-new/2022/12/aws-cloud-wan-security-inspection-appliance-mode-support/