- Newest
- Most votes
- Most comments
Arhh.. The first thing that jumps out is Asymetric routing. Something to check:-
Traffic in appliance mode is routed correctly as long as the source and destination traffic are coming to a centralized VPC (Inspection VPC) from the same transit gateway attachment. Traffic can drop if the source and destination are entering from two different transit gateway attachments.
When appliance mode is enabled, a transit gateway selects a single network interface in the appliance VPC, using a flow hash algorithm, to send traffic to for the life of the flow. The transit gateway uses the same network interface for the return traffic. This ensures that bidirectional traffic is routed symmetrically—it's routed through the same Availability Zone in the VPC attachment for the life of the flow. If you have multiple transit gateways in your architecture, each transit gateway maintains its own session affinity, and each transit gateway can select a different network interface.
If your VPC attachments span multiple Availability Zones and you require traffic between source and destination hosts to be routed through the same appliance for stateful inspection, enable appliance mode support for the VPC attachment in which the appliance is located.
https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html
EDIT Disable source/destination checks
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
I enabled appliance mode support for the vpcC attachment. The connection is still not working. Also, into the Diagnostics of the Sophos Firewall I saw that traffic goes only through only 1 Sophos instance.
Theres 1 more thing to check. You must disable source/destination check https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
How are you gettign on?
Still no luck. I'm using AWS Managed service for NAT - NAT Gateway. So, the source/destination check should be disabled.
Now I tested if this works when we bypass the Sophos Firewall. This way is working. So, the issue is with Sophos Firewall.
Source: Test EC2 Instance Destination: https://citrixworkspacesapi.net
Traffic is logged into the firewall as DENIED and sometimes ALLOWED.
Similar to this https://community.sophos.com/sophos-xg-firewall/f/discussions/139663/internet-traffic-sometimes-denied
Relevant content
- Accepted Answerasked a year ago
- asked 7 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
A network diagram would be usefull and where the source/destination is and where your Sophos Firewall is in the path