Considerations for asymmetric routing

Network Firewall doesn’t support asymmetric routing. In Network Firewall, asymmetric routing occurs when both request network traffic and its related response network traffic are not routed to the same Network Firewall endpoint. In order for Network Firewall to properly process traffic, the traffic must be routed to the Network Firewall endpoint in both directions.

The following are considerations to keep in mind to prevent asymmetric routing:

• Centralized deployment model - If your firewall uses a centralized deployment model:

  • On the Transit Gateway which is on the inspection VPC of the firewall, use the Transit Gateway appliance mode to keep the traffic request and response flows on the same Network Firewall endpoint. For information about configuring the Transit Gateway appliance mode, see AWS Transit Gateway traffic flow and asymmetric routing.

  • Configure your Transit Gateway route tables to route both forward and return direction traffic via your firewall attachment.

• Decentralized deployment model - If your firewall is deployed in a decentralized deployment model inspecting internet-bound traffic from an internet gateway, use a route table with an Internet Gateway edge association to route inbound traffic through the Network Firewall endpoint, in addition to an outbound route in the application subnet.

• NAT gateway - If Network Firewall is downstream of your Network address translation (NAT) Gateway, make sure that the NAT gateway's subnet routes traffic through the Network Firewall endpoint. For information about using NAT gateway with Network Firewall, see the following resources:

  • Architecture with an internet gateway and a NAT gateway

  • Using the NAT gateway with AWS Network Firewall for centralized egress

  • How do I set up AWS Network Firewall with a NAT gateway?

• Stateless rules - If your Network Firewall firewall uses stateless rules:

  • Be aware that unidirectional pass rules can create asymmetric forwarding when the policy’s stateless default action is forward to stateful rules.

  • Ensure that your stateless rules forward traffic symmetrically to the stateful engine using the forward to stateful rule groups action. Often this means writing pairs of rules to match both forward and return direction traffic. For information about the foward to stateful rule groups option, see Creating a firewall policy. The following example shows a pair of rules that match both forward and return direction traffic: