- 最新
- 投票最多
- 评论最多
Hello,
Yes, you need to ensure traffic symmetry to avoid disruption by the firewall. The firewall must see both the initial request and the reply going through the same path.
Here's how you can achieve that:
-
Create a Dedicated Subnet for the FW Endpoint:
- Ensure that this subnet is not allocated with any other services.
-
Create Three Route Tables:
Route Table 1 (Attached to NLB Subnet):
- Set the default route to the firewall endpoint.
Route Table 2 (Attached to FW Subnet):
- Set the default route to the Internet Gateway (IGW).
Route Table 3 (Attached to IGW):
- Specify the subnet of the NLB with the next hop as the firewall endpoint.
By configuring these route tables in this manner, you ensure that traffic flows through the intended path:
-
For Incoming Traffic:
- Client >> Internet Gateway (IGW) >> Firewall >> NLB >> EC2
-
For Return Traffic:
- EC2 >> NLB >> Firewall >> IGW >> Client
This setup maintains the required symmetry for traffic, allowing the firewall to inspect and control both the inbound and outbound traffic flows.
Please implement and test this configuration in a controlled environment before deploying it in production. Let me know if you have any further questions or need additional assistance!
In that case, if the NLB has a EIP in the public subnet, how can I make the incoming traffic pass through the firewall?
Does the incoming traffic from the internet use a internet gateway to reach the EIP of the NLB?
- internet --> EIP --> NLB or
- internet --> IGW--> EIP --> NLB ?
Thank you
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 个月前