Transit Gateway and Inspection VPC Routing for Different Traffic Flows

To achieve the desired traffic flow and inspection patterns in your Transit Gateway (TGW) setup with VPCs, Direct Connect (DX), and an Inspection VPC running AWS Network Firewall, you'll need to implement a more granular routing configuration. Here's how you can accomplish this:

1. Inspecting traffic initiated from DX to VPCs and its return traffic:

Create a separate TGW route table for DX attachments. In this route table:

• Add static routes for all VPC CIDRs pointing to the Inspection VPC attachment.
• Propagate routes from the Inspection VPC.

2. Skipping inspection for traffic initiated from VPCs to DX while avoiding asymmetric routing:

Create a separate TGW route table for VPC attachments. In this route table:

• Propagate routes from DX attachments directly.
• Add a default route (0.0.0.0/0) pointing to the Inspection VPC attachment to handle internet-bound traffic.

For the Inspection VPC's TGW attachment:

• Enable appliance mode to ensure symmetric routing.
• Create a TGW route table that propagates routes from all attachments (VPCs and DX).

In the Inspection VPC itself:

• Configure two separate subnets: one for incoming traffic and one for outgoing traffic.
• Set up appropriate routing in the VPC route tables to direct traffic through the AWS Network Firewall endpoints.

With this configuration:

• Traffic from DX to VPCs will be routed through the Inspection VPC for inspection.
• Return traffic from VPCs to DX will also pass through the Inspection VPC due to the appliance mode setting, ensuring symmetric routing.
• Traffic initiated from VPCs to DX will bypass the Inspection VPC, going directly through the TGW.

This setup allows you to maintain the desired traffic flow while avoiding asymmetric routing issues. Remember to adjust your Network Firewall rules to properly handle and inspect the traffic flowing through the Inspection VPC.
Sources
Centralized network security for VPC-to-VPC and on-premises to VPC traffic - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
Transit gateway configuration - AWS Prescriptive Guidance
AWS Transit Gateway traffic flow and asymmetric routing - AWS Prescriptive Guidance

Hello.
Here is the issue with current setup: The common TGW route table static routes VPC CIDR traffic to Inspection VPC, but DX traffic isn't routed through inspection due to propagations for that attachment. This creates asymmetric routing as response traffic from VPC to DX is not inspected by Firewall due to DX propagations (shared common TGW RT).

To solve this, do the following:
Create a separate TGW route table for VPC attachments and configure this route table to static route VPC and DX destinations through the Inspection VPC. This ensures symmetric routing for all traffic flows.

To address your requirement that traffic initiated from VPCs to DX (as well as its return traffic) is not scanned would require AWS Network Firewall configurations.

1. Add a stateless rule that allows traffic matching these criteria:
   Source: VPC CIDR ranges.
   Destination: DX CIDR ranges.
   Source ports: ephemeral ports.
   Destination ports: Non-ephemeral ports only, and ports of other known services that are accessed on prem that are outside of the ephemeral ports (ex. VPC accessing port 1521 for Oracle on prem).
2. Add a similar rule for return traffic of VPC to DX initiated traffic Source: DX CIDR ranges.
   Destination: VPC CIDR ranges.
   Source ports: Non-ephemeral ports only, and ports of other known services that are accessed on prem that are outside of the ephemeral ports (ex. 1521 for Oracle).
   Destination ports: ephemeral ports.

This rule ensures that traffic from VPC to DX and its return traffic is immediately allowed by the Firewall and not scanned. Make sure this rule is at the top of the Stateless rules in you AWS NF since rules get evaluated in order within the Stateless rule engine.