- Newest
- Most votes
- Most comments
The Public Subnet(ALB ) Route Table should have a route 0.0.0.0/0 pointing back to the vpce-id and not IGW. AWS Network Firewall doesn’t support asymmetric routing.
See the diagram Figure 2. Distributed deployment of AWS Network Firewall, in this blog:
Also see the diagram Figure 1: AWS Network Firewall deployed in a single AZ and traffic flow for a workload in a public subnet in this blog:
If you want to inspect Public traffic (North-South) traffic to and from ALB public subnet, then also the Public subnet route to 0.0.0.0/0 should have GWLBe endpoint as destination. For you to investigate the route from the internet to any ENI of the ALB, use the VPC Reachability Analyzer, it will inspect all routing, security groups and NACL from the Source (Any public IP) to destination ALB. GWLB inspection will be bypassed but it will show you if the route are configured properly to hit the GWLBe in/out. Once again try reachability analyzer to inspect the reverse traffic (source is ALB eni and destination is Public IP)
Relevant content
- Accepted Answerasked 3 years ago
- asked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago