Inline traffic inspection solution options - AWS Prescriptive Guidance

Inline traffic inspection solution options

The following three sections describe data flows for traffic inspection using third-party firewall appliances in an AWS environment with Gateway Load Balancer and Gateway Load Balancer endpoints:

The following resources are used in the three options for this solution:

  • Dedicated spoke VPCs for hosting workloads or applications.

  • One VPC for hosting firewall appliances.

  • A dedicated subnet for the Transit Gateway elastic network interface for each Availability Zone in the spoke and appliance VPCs.

  • Appliance mode turned on for the appliance VPC attachment.

  • Dedicated subnets for Gateway Load Balancer endpoints in each Availability Zone.

  • A transit gateway to interconnect the VPCs, in addition to providing on-premises connectivity through the Transit Gateway virtual interface and AWS Direct Connect gateway or with a VPN attachment for AWS Site-to-Site VPN.