Outbound traffic inspection through a NAT gateway and internet gateway

The packet from an Amazon Elastic Compute Cloud (Amazon EC2) instance in Workload spoke VPC1 in Availability Zone 1 arrives at the Transit Gateway elastic network interface in Availability Zone 1. According to the Workload spoke VPC1 route table that is associated with the source, the packet arrives at the Transit Gateway.

In Transit Gateway, the spoke transit gateway route table is associated with the Workload spoke VPC1 attachment, which determines the next hop.

The next hop is the Appliance VPC. The Transit Gateway determines which Transit Gateway elastic network interface to send the traffic to based on 4-tuple hash.

If Transit Gateway chooses the Transit Gateway elastic network interface in Availability Zone 2, it then checks the VPC route table associated to the Transit Gateway elastic network interface subnet in Availability Zone 2 for the Appliance VPC and then sends the traffic to the Gateway Load Balancer endpoint based on the default route.

The Gateway Load Balancer endpoint is logically connected to Gateway Load Balancer through AWS PrivateLink , which forwards the traffic to the firewall appliance for traffic inspection. Gateway Load Balancer creates a GENEVE tunnel between it and the firewall appliances.

If the traffic is allowed then the packet is sent back to the Gateway Load Balancer and the Gateway Load Balancer endpoint in Availability Zone 1 from where it came from based on metadata attached to the payload.

At the Gateway Load Balancer endpoint in Availability Zone 1, the packet checks the VPC route table to determine the next hop.

The packet arrives at NAT gateway 1 and looks at the NAT gateway's route table, with the default route being the internet gateway.

The packet is then sent to its destination through the internet gateway. The return traffic follows the same path but in reverse.