Ingress routing

0

I have an ALB in public subnet in inspection VPC and target as EC2 in private subnet in workload VPC. I have added edge association to a route table with IGW in inspection VPC and sending the public subnet (ALB) traffic to gwlb endpoint for inspection. SO, that any incoming traffic should first go through the inspection and and then hit the ALB. Ingress Route Table ( Attached to IGW) Route Table 10.1.0.0/16 local 10.1.0.0/20(ALB subent) vpce-xxxxx

Public Subnet(ALB ) Route Table 10.1.0.0/16 local 0.0.0.0/0 igw-xxxxxx 10.0.0.0/8 tgw-xxxxx

IGW >> GWLBE > Firewall > ALB > Workload But it seems like it's not following this pattern.

I tried to forward the traffic 10.1.0.0/20(ALB subent) to blackhole eni but still ALB is reachable.

Could you please suggest if route table looks incorrect.

asked 9 months ago527 views
2 Answers
0

The Public Subnet(ALB ) Route Table should have a route 0.0.0.0/0 pointing back to the vpce-id and not IGW. AWS Network Firewall doesn’t support asymmetric routing.

See the diagram Figure 2. Distributed deployment of AWS Network Firewall, in this blog:

https://aws.amazon.com/blogs/networking-and-content-delivery/design-your-firewall-deployment-for-internet-ingress-traffic-flows/

Also see the diagram Figure 1: AWS Network Firewall deployed in a single AZ and traffic flow for a workload in a public subnet in this blog:

https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

profile pictureAWS
EXPERT
answered 9 months ago
0

If you want to inspect Public traffic (North-South) traffic to and from ALB public subnet, then also the Public subnet route to 0.0.0.0/0 should have GWLBe endpoint as destination. For you to investigate the route from the internet to any ENI of the ALB, use the VPC Reachability Analyzer, it will inspect all routing, security groups and NACL from the Source (Any public IP) to destination ALB. GWLB inspection will be bypassed but it will show you if the route are configured properly to hit the GWLBe in/out. Once again try reachability analyzer to inspect the reverse traffic (source is ALB eni and destination is Public IP)

profile pictureAWS
EXPERT
AmerO
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions