Appliance mode on centralized AWS Network Firewall deployment

1

Dear Team - If we deploy the Architecture as mentioned in Figure 4: Example architecture after solution deployment – showing multiple use cases in below URL, what would be the recommendation of enabling TGW attachment appliance mode for Inspection VPC ? I understand that for East-West traffic, it is recommended to enable appliance mode but in this case, they are also doing egress traffic inspection as well. Will there be any impact on internet egress traffic if we enable appliance mode for east-west traffic? or should we enable at all in this architecture ?

https://aws.amazon.com/blogs/networking-and-content-delivery/deploy-centralized-traffic-filtering-using-aws-network-firewall/

1 Answer
1
Accepted Answer

Enable it. Considering you are using the same inspection VPC for both east-west and egress inspection, you will need it enabled for your east-west flows. Your egress flows would not be impacted.

If it were purely for egress inspection, enabling appliance mode would be optional. I used the word optional deliberately. If appliance mode is enabled, the TGW would simply act as a load balancer for all flows - performing hash for all the flows (4 tuple) it receives and sends traffic to the picked AZ for the life of the flows. This would not impact the traffic flow but it induces inter-AZ dependency, which is not ideal. If there is an AZ impairment, your traffic would be impacted even if the the AZ of the traffic source is healthy and the TGW has an attachment ENI is the same healthy AZ in the inspection VPC - because we are hashing all the flows. So the recommendation is not to use appliance mode unless you need some kind of primitive load balancing function when it comes to north-south traffic.

AWS
anveshk
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions