Inline traffic inspection solution options
The following three sections describe data flows for traffic inspection using third-party firewall appliances in an AWS environment with Gateway Load Balancer and Gateway Load Balancer endpoints:
The following resources are used in the three options for this solution:
-
Dedicated spoke VPCs for hosting workloads or applications.
-
One VPC for hosting firewall appliances.
-
A dedicated subnet for the Transit Gateway elastic network interface for each Availability Zone in the spoke and appliance VPCs.
-
Appliance mode turned on for the appliance VPC attachment.
-
Dedicated subnets for Gateway Load Balancer endpoints in each Availability Zone.
-
A transit gateway to interconnect the VPCs, in addition to providing on-premises connectivity through the Transit Gateway virtual interface and AWS Direct Connect gateway or with a VPN attachment for AWS Site-to-Site VPN.