Routing network traffic between two EC2 instances in the same subnet to a firewall appliance in another VPC
Hi Team,
I have an application VPC with two private Subnets in the same Availability Zone. Subnet A contains multiple EC2 instances. Subnet B is a transit gateway subnet that connects to a firewall VPC that contains a firewall appliance to analyze and control network traffic. In this example the firewall VPC will be a hub and spoke model. To enhance security I would like all traffic that goes between EC2 instances inside Subnet A to be routed to the firewall VPC for inspection. The firewall appliance would need to remain inside the firewall VPC. Is this type of configuration possible?
No, this is not possible. You can insert inspection appliances between subnets, but not within the same subnet. More details here: https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/
Can you create different subnets for different kind of workloads?
Also, you may want to consider a multi-AZ deployment for resiliency. Especially if this is for production workloads.
Good evening,
Could this be a possible solution for you?
Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for:
Content inspection Threat monitoring Troubleshooting
The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind a Network Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice. https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/
Relevant questions
VPC - Public/Private Subnets - Unable to access from internet
asked 3 years agoHow do I set up Amazon VPC ingress routing with a stateless network appliance?
Accepted Answerasked 2 years agoRouting network traffic between two EC2 instances in the same subnet to a firewall appliance in another VPC
Accepted Answerasked 5 months agoHow to configure subnets for an ECS cluster so it can access a database in the same VPC?
asked 3 months agoForward the traffic between two instance
asked 6 months agoCan AWS Network Firewall allow traffic from an instance using its tags or some other metadata
Accepted Answerasked 5 months agoCommunication between two private ec2 instances
asked 7 days agoRouting VPC to VPC traffic through an on-prem firewall via Transit Gateway
Accepted Answerasked a year agoEC2 Information Required
Accepted Answerasked 2 years agodata transfer cost between two AZs in the same VPC same account
Accepted Answerasked 2 years ago