Subnet Route table edge associations error

You cannot associate a route table with a gateway if any of the following applies:

• The route table contains existing routes to CIDR blocks outside of the ranges in your VPC.

Additionally,

• You cannot add routes to any CIDR blocks outside of the ranges in your VPC, including ranges larger than the individual VPC CIDR blocks.
• You can only specify local, a Gateway Load Balancer endpoint, or a network interface as a target. You cannot specify any other types of targets, including individual host IP addresses.
• When you route traffic through a middlebox appliance, the return traffic from the destination subnet must be routed through the same appliance. Asymmetric routing is not supported.

Say:

• VPC: 10.0.0.0/16
• Protected Subnet: 10.0.0.0/24 [ NAT GW subnet would be Protected subnet, if you are using NAT]
• MiddleBox Appliance: eni-xxxxx

Gateway route table routes must be:

Destination	Target
10.0.0.0/24	eni-xxxxx

 

• Forward : IGW >> Appliance AZ_A >> NAT GW >> EC2
• Reverse : EC2 >> NAT GW >> Appliance AZ_A >> IGW

---

• Check the Deployment models for AWS Network Firewall blog to get an idea.

Reference:

[1] https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#gateway-route-table-rules

Hello @Himanshu,

if you implementation is Like EC2 >> Nat gateway >> Appliance >> IGW, So you need to associate Routing table with the IGW is a route like :

Destination	Target IP
NATGATEWAY Subnet	Appliance IP