VPC-to-on-premises traffic inspection - AWS Prescriptive Guidance

VPC-to-on-premises traffic inspection

The following diagram shows the traffic flow if an Amazon Elastic Compute Cloud (Amazon EC2) instance in Workload spoke VPC1 wants to communicate with an on-premises server.

The traffic flow between an Amazon EC2 instance in spoke VPC 1 and an on-premises server

The diagram shows the following workflow:

  1. A packet from an EC2 instance in Workload spoke VPC 1 in Availability Zone 1 arrives at the Transit Gateway elastic network interface in Availability Zone 1 in the transit gateway subnet for Workload spoke VPC 1. Based on the VPC route table associated to the Transit Gateway elastic network interface subnet, the packet lands on the transit gateway.

  2. In the transit gateway, the Spoke transit gateway route table is associated with the Workload spoke VPC 1 attachment and this determines the next hop.

  3. The next hop is the appliance VPC. Based on 4-tuple hash for the life of a flow, the Transit Gateway determines which Transit Gateway elastic network interface to send the traffic to.

  4. If Transit Gateway chooses the Transit Gateway elastic network interface in Availability Zone 1, it checks the VPC route table associated to the Transit Gateway elastic network interface subnet in Availability Zone 1 in the appliance VPC. Transit Gateway sends the traffic to the Gateway Load Balancer endpoint in Availability Zone 1.

  5. The Gateway Load Balancer endpoint is logically connected to the Gateway Load Balancer through AWS PrivateLink that then forwards the traffic to the firewall appliance for traffic inspection. The Gateway Load Balancer creates a GENEVE tunnel between the Gateway Load Balancer and the firewall appliances.

  6. If the traffic is allowed, the packet is sent back to the Gateway Load Balancer and the Gateway Load Balancer endpoint in Availability Zone 1.

  7. At the Gateway Load Balancer endpoint, the packet checks the VPC route table and the next hop is the transit gateway.

  8. The packet arrives at the transit gateway and performs a lookup on the appliance transit gateway route table that is associated to the appliance VPC attachment for the next hop to the 172.16.0.0/16 network.

  9. The packet is then sent to the destination server on premises. The response traffic follows the same path but in reverse.