Landing Zone

Advanced Networking Routing

AWS Professional Services

2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Agenda

• Objective
• Layer VPC Security (recap)
• Deployment Model
• Network Architect
• E/W & N/S Inspection
• Centralized Ingress
• Centralized Egress
• Orchestration and Observability
• Capture requirements
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Objectives
• Introduction best practices for Network Inspection

• Enable the team on the solution for Centralizing Ingress and Egress

• Share some of the pattern for Network baseline

• Discover initial design patterns that align with the VCB’s cloud adoption strategy through
Q&A

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Deep Dive Topic Discussion
(1) Describing your step-by-step when inspecting traffic between Workloads on AWS for
Debugging and Troubleshooting.

• Sharing about factor to ensure network issue happening for only one of your workload, not the
others

• Can you walk through how do you protect traffic East - West?
• Do you have any special security control requirements (regulation or VCB’s security policy) to
control traffic between application to application or VPC to VPC or On-Premises to AWS?

(2) Are App Owners responsible for Management of Network Resources?

(3) Discuss about the network routing readiness for significant changes/requirements in the future.

• How many critical workload are running on LZ ? 24/7 and 8/5

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Layered VPC Security
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Layered Security
Inside VPC

VPC
VPC Boundary
Availability Zone A Availability Zone B

NACL NACL +
Subnet A Subnet B Application
Gateway Load Third-party AWS Network
Security Balancer appliance Firewall
Group

Observability
AWS WAF

Amazon Amazon
Orchestration VPC Flow Traffic
Logs Mirroring

AWS Firewall
Manager
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 VPC

Security Groups (Recap) Internet Gateway

HTTPS
(TCP 443)

• Stateful firewall Security Group “Web ELB”

• Inbound and outbound customer-defined rules

• Instance-/interface-level inspection Elastic Load Balancing (ELB)

“Web ELB”
• Microsegmentation HTTP
(TCP 80)
• Mandatory, all instances have an associated Security Group “Web Tier”
security group
• Can be cross-referenced Web server Web server

• Works across VPC peering Amazon EC2

“Web Tier”
• Only supports allow rules MySQL
(TCP 3306)
• Implicit deny all if not allowed Security Group “DB Tier”

MySQL DB
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Aurora
Network Access Control Lists (NACLs) (Recap)
Region 1
Default NACL Configurations

VPC 10.0.0.0/16 Inbound Rules

Availability Zone A

Subnet:10.0.1.0/24

Outbound Rules
Network
access
control list

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Beyond Security Groups and NACLs (Recap)

• Scale
§ A security group allows for 1,000 rule entries (60 by default)
§ A NACL allows for a maximum of 40 rule entries (20 by default)

• Inspection Depth
§ Both NACLs and security groups operate at the network and transport layer

• Centralize Management
§ AWS Firewall Manager Service for security groups only

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Network Architectures
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Architectures

• Between AWS environments

• Inter VPC within the same region
• Inter VPC between region

• Connectivity to AWS environment

§ VPC and on premises

• Internet ingress

• Internet egress

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current network routing to deep dive
1. Each VPC will have its own TGW route table

2. When configuring route from VPC to VPC:

Propagate VPC attachment on 2 TGW route tables

Open question
1. Route summary could be used to simplify the routing management overhead
on AWS Transit Gateway
2. Routing approach to enable network automation

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Route Summary

1. Is your network routing configured properly?

2. If so, have you planned for future usage ? (Multi-Region vision, Automation,…)

Name Default Adjustable

Transit gateway route tables per transit gateway 20 Yes
Total coVCBined routes (dynamic and static) across all route tables for 10,000 Yes
a single transit gateway

Dynamic routes advertised from a virtual router appliance to a 1,000 Yes

Connect peer

Routes advertised from a Connect peer on a transit gateway to a 5,000 No

virtual router appliance

Static routes for a prefix to a single attachment 1 No

Name Default Adjustable

Attachments per transit gateway 5,000 No
Transit gateways per VPC 5 No
Peering attachments per transit gateway 50 Yes
Pending peering attachments per transit gateway 10 Yes
Peering attachments between two transit gateways or 1 No
between one transit gateway and a Cloud WAN core network
edge (CNE)
Connect peers (GRE tunnels) per Connect attachment 4 No

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample pattern for TGW Routing tables
Transit Gateway attachments are associated to a Transit Gateway route table. An attachment can be
associated to one route table. However, an attachment can propagate their routes to one or more Transit
Gateway route tables.

The following table shows route table and associated Transit Gateway attachments.
TGW Route Table Name VPC Associations Destination Route type TGW Attachment
Workload VPCs Propagated VPC Attachments
Shared Services VPC Propagated Shared Services VPC Attachment
Inspection Inspection VPC Attachment Egress Prod VPC Propagated Egress Prod VPC Attachment
SD WAN VPC Propagated SD WAN VPC Attachment
0.0.0.0/0 Static Route Egress Prod VPC Attachment
Shared Services VPC Propagated Inspection VPC Attachment
10.10.0.0/16 Static Route Inspection VPC Attachment
Workload VPC Attachments Ingress VPC Propagated Ingress VPC Attachment
0.0.0.0/0 Static Route Egress VPC Attachment
On-prem Prod CIDR Static Route VPN Attachment
10.10.0.0/16 Static Route Inspection VPC Attachment
Shared Services Shared Service VPC Attachment 0.0.0.0/0 Static Route Egress Prod VPC Attachment
On-prem Prod CIDR Static Route VPN Attachment
Workload VPCs Propagated VPC Attachments
On-Prem Spoke VPN Attachment
Shared Services VPC Propagated Shared Services VPC Attachment
Workload VPCs Propagated Workload VPC Attachments
Shared Services VPC Propagated Shared Services VPC Attachment
Egress Egress VPC Attachment
Ingress VPC Propagated Ingress Attachment
Inspection VPC Propagated Inspection VPC Attachment
Workload VPCs Propagated Workload VPC Attachments
Ingress Ingress VPC Attachment Integration VPC Propagated Integration VPC Attachments
0.0.0.0/0 Static Route Egress Attachment
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic Inspection (recap)

Is traffic inspection being done today in your AWS environments?

If so, how is traffic inspection setup?

• North-South (Ingress and Egress)

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Ingress Architectures
Internet to VPC
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ingress

How is Ingress traffic currently configured?

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current Ingress setup to deep dive

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Should I centralize internet ingress?
Pros of centralizing Cons of centralizing
• Simpler to control internet • Increased blast radius
access by centrally restricting
• Increased complexity
IGW association to VPCs
• Increased cost (in most cases)

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Web Application Firewall (WAF)
PROTECT YOUR WEB APPLICATIONS

Frictionless setup: Deploy without changing your

existing architecture

Low operation overhead: Ready-to-use built-in

managed rules and rules from AWS Marketplace

Customizable security: Highly flexible rule engine

AWS WAF can inspect requests with single-millisecond latency

Advanced automation: API-driven architecture and

fast rule propagation allows you to detect and
respond to threats in real time

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Model
INGRESS ROUTING Packet Packet
Ingress route Ingress route
Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2
Edge VPC Edge VPC
Ingress VPC: 10.0.0.0/24 Internet Ingress VPC: 10.0.0.0/24 Internet
Gateway Gateway
GWLBE Subnet 1 GWLBE Subnet 2 GWLBE Subnet 1 GWLBE Subnet 2

GWLBE 1 GWLBE 2 GWLBE 1 GWLBE 2

Public Subnet 1 Public Subnet 2 Public Subnet 1 Public Subnet 2

Or Or

ALB NLB ALB NLB

Interface Endpoint Interface Endpoint
Subnet 1 Subnet 2

Transit Gateway

App VPC 1 App VPC 2 App VPC 3 AWS PrivateLink

App VPC App VPC App VPC 1 App VPC 2 App VPC 3

NLB NLB NLB

NLB NLB NLB

EC2 EC2 EC2

EC2 EC2 EC2

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Egress Architectures
VPC to Internet
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Egress

How is Egress traffic currently configured?

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current Egress setup to deep dive

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Model
EGRESS ROUTING Availability Zone 1 Availability Zone 2 Ingress Route Table
Egress VPC: 10.0.0.0/24 IGW Routes:
GWLBE Subnet 1 and 2 Route Table VPC CIDR via Local
GWLBE Subnet 1 GWLBE Subnet 2 Public Subnet 1 via GWLB Endpoint 1
Routes: Public Subnet 1 via GWLB Endpoint 2
VPC CIDR via Local
0.0.0.0/0 via IGW Packet
GWLBE 1 GWLBE 2
Public Subnet 2 Route Table
Public Subnet 1 Route Table

Routes:
Public Subnet 1
Edge VPC Public Subnet 2 Routes:
VPC CIDR via Local
VPC CIDR via Local
0.0.0.0/0 via GWLBE 2
0.0.0.0/0 via GWLBE 1 Packet
NAT GW 1 NAT GW 2
GWLBE Subnet 2 Route Table
TGW Subnet 1 Route Table
TGW Subnet 1 TGW Subnet 2
Packet Routes:
Routes: TGW ENI 1 TGW ENI 2 VPC CIDR via Local
VPC CIDR via Local 0.0.0.0/0 via NAT GW 2
0.0.0.0/0 via NAT GW 1

TGW Inspection Route Table

TGW App Route Table
Associated with Egress VPC
Associated with App VPCs
Packet Routes:
Routes: App VPC 1 CIDR via App VPC 1 Attachment
0/0 via Inspection VPC Attachment Transit Gateway App VPC 2 CIDR via App VPC 2 Attachment
App VPC 3 CIDR via App VPC 3 Attachment
App VPC 1 App VPC 2 App VPC 3

App VPC Route Table

Routes:
VPC CIDR via Local Packet
0.0.0.0/0 via TGW
EC2 EC2 EC2
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Orchestration and Observability
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Observability – Flow Logs
• Diagnosing overly restrictive
security group rules
Transit
VPC Flow Gateway
Log – Flow
Fields
VPC
Amazon
CloudWatch

reaching your instance Logs – Fields

• Monitoring the traffic that is
Subnet
Sources Destinations

• Determining the direction of VPC Amazon S3

the traffic to and from the Flow Logs
network interfaces ENI

• Collect and store header Amazon Kinesis

information Data Firehose

• End-to-end visibility into VPC

network traffic traversing
through Transit Gateway Amazon
CloudWatch
Peering
• Capture traffic through any Connection
or all attachments of a Sources Destinations
Transit Gateway

VPN Transit Gateway

Transit Gateway
• Determining the direction of Flow Logs
the traffic to and from the
Transit Gateway Amazon S3

Direct
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Connect
VPC Reachability Analyzer
Resource types to use either as a
source or as a destination:
Amazon VPC A
• Instances
Network ACL Network ACL Use Reachability Analyzer to:
• Internet gateways
Private subnet Private subnet
• Troubleshoot connectivity issues
• Network interfaces
Security group Security group
• Verify intended connectivity
• Transit gateways
• Automate verification of connectivity
• Transit gateway attachments
intent
• VPC endpoints

• VPC peering connections

• VPN gateways

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon VPC Network Access Analyzer

Discover possible Define your View paths that do not

network access network access meet requirements
requirements

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Access Analyzer Use Cases
• Internet accessibility to resources in VPCs

• Trusted network path

• Network segmentation

• Trusted network access

• Private network connectivity

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Capturing Requirements

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Q&A

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Inter VPC Architecture
Same Region
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current E/W Inspection to discuss

1. There’s no inspection rule for E/W traffic between workloads on AWS

2. They only layered security for E/W traffic is Security Groups in Workload AWS
account.

Open question

1. The network routing is decentralized partly from starting point: Network

account
2. Security Group is not enough if we duplicate the same E/W inspection
approach from on-premises.

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common pattern for network routing
As customers grow the nuVCBer of VPCs or VPC CIDRs, they can use route summarization when configuring
the association between Transit Gateway and Direct Connect gateway. Summarizing routes is one strategy
that can help you remain under the quota threshold for Direct Connect transit VIFs.

Ref: https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-transit-gateway-connect-
to-extend-vrfs-and-increase-ip-prefix-advertisement/

Overcome the limitation

Operation efficiency

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Centralized Model: VPC to VPC
Region

Availability Zone 1 Availability Zone 2

Spoke VPC 1: 10.0.1.0/24 TGW Inspection Route Table

App Subnet 1 App Subnet 2 Associated with Inspection VPC

App Subnet 1 and 2 Route Table GWLBE Subnet 1 and 2 Route Table
Routes:
10.0.1.0/24 via Spoke 1 VPC Attachment VPC CIDR via Local
VPC CIDR via Local Instance 1 Instance 2 10.0.2.0/24 via Spoke 2 VPC Attachment Summary Route (10/8) via
Summary Route (10/8) via TGW 1
Availability Zone 1 Availability Zone
TGW2 1
TGW Subnet 1 TGW Subnet 2
Inspection VPC: 192.168.1.0/24
TGW Subnet 1 and 2 Route Table
TGW ENI 1 TGW ENI 2 GWLBE Subnet 1 GWLBE Subnet 2
VPC CIDR via Local

GWLBE 1 GWLBE 2

TGW Subnet 1 TGW Subnet 1

Spoke VPC 2: 10.0.2.0/24 Transit Gateway
(TGW) 1
App Subnet 1 App Subnet 2
App Subnet 1 and 2 Route Table
TGW Spoke Route Table TGW ENI 1 TGW ENI 2
VPC CIDR via Local Associated with Spoke VPCs
Instance 1 Instance 2
Summary Route (10/8) via TGW 1
TGW Subnet 1 TGW Subnet 2 Routes:
TGW Subnet 1 Route Table TGW Subnet 1 Route Table
0/0 via Inspection VPC Attachment
TGW Subnet 1 and 2 Route Table VPC CIDR via Local VPC CIDR via Local
TGW ENI 1 TGW ENI 2 0/0 via GWLB Endpoint 1 0/0 via GWLB Endpoint 1
VPC CIDR via Local

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Centralized Model: VPC to VPC Packet Flow

Region

Availability Zone 1 Availability Zone 2

Spoke VPC 1: 10.0.1.0/24 TGW Inspection Route Table

App Subnet 1 App Subnet 2 Associated with Inspection VPC

App Subnet 1 and 2 Route Table GWLBE Subnet 1 and 2 Route Table
Routes:
Packet 10.0.1.0/24 via Spoke 1 VPC Attachment VPC CIDR via Local
VPC CIDR via Local Instance 1 Instance 2 10.0.2.0/24 via Spoke 2 VPC Attachment Summary Route (10/8) via TGW 1
Summary Route (10/8) via TGW 1
Availability Zone 1 Availability Zone 2
TGW Subnet 1 TGW Subnet 2
Inspection VPC: 192.168.1.0/24
TGW Subnet 1 and 2 Route Table
TGW ENI 1 TGW ENI 2 GWLBE Subnet 1 GWLBE Subnet 2
VPC CIDR via Local
Packet
Packet
Packet GWLBE 1 GWLBE 2

TGW Subnet 1 TGW Subnet 1

Spoke VPC 2: 10.0.2.0/24 Transit Gateway
(TGW) 1 Packet
App Subnet 1 App Subnet 2
App Subnet 1 and 2 Route Table
TGW Spoke Route Table TGW ENI 1 TGW ENI 2
VPC CIDR via Local Associated with Spoke VPCs
Instance 1 Instance 2
Summary Route (10/8) via TGW 1
TGW Subnet 1 TGW Subnet 2 Routes:
TGW Subnet 1 Route Table TGW Subnet 1 Route Table
0/0 via Inspection VPC Attachment
TGW Subnet 1 and 2 Route Table Packet VPC CIDR via Local VPC CIDR via Local
TGW ENI 1 TGW ENI 2 0/0 via GWLB Endpoint 1 0/0 via GWLB Endpoint 1
VPC CIDR via Local

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Centralized Model: VPC to VPC Reverse Packet Flow

Region

Availability Zone 1 Availability Zone 2

Spoke VPC 1: 10.0.1.0/24 TGW Inspection Route Table

App Subnet 1 App Subnet 2 Associated with Inspection VPC

App Subnet 1 and 2 Route Table GWLBE Subnet 1 and 2 Route Table
Routes:
10.0.1.0/24 via Spoke 1 VPC Attachment VPC CIDR via Local
VPC CIDR via Local Instance 1 Instance 2 10.0.2.0/24 via Spoke 2 VPC Attachment Summary Route (10/8) via TGW 1
Summary Route (10/8) via TGW 1
Availability Zone 1 Availability Zone 2
TGW Subnet 1 TGW Subnet 2
Packet Inspection VPC: 192.168.1.0/24
TGW Subnet 1 and 2 Route Table
Appliance GWLBE Subnet 1 GWLBE Subnet 2
TGW ENI 1 TGW ENI 2
Mode Enabled
VPC CIDR via Local Packet on Inspection
VPC Packet Packet
Attachment
Packet GWLBE 1 GWLBE 2

TGW Subnet 1 TGW Subnet 1

Spoke VPC 2: 10.0.2.0/24 Transit Gateway
(TGW) 1 Packet Packet
App Subnet 1 App Subnet 2
App Subnet 1 and 2 Route Table
TGW ENI 1 TGW ENI 2
Packet TGW Spoke Route Table
VPC CIDR via Local Associated with Spoke VPCs
Instance 1 Instance 2
Summary Route (10/8) via TGW 1
TGW Subnet 1 TGW Subnet 2 Routes:
TGW Subnet 1 Route Table TGW Subnet 1 Route Table
0/0 via Inspection VPC Attachment
TGW Subnet 1 and 2 Route Table VPC CIDR via Local VPC CIDR via Local
TGW ENI 1 TGW ENI 2 0/0 via GWLB Endpoint 1 0/0 via GWLB Endpoint 1
VPC CIDR via Local

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
East-West Network Inspection Concept

1 Application from VPC Spoke A establishes traffic to other Application in VPC Spoke B. Traffic is routed to Transit GW.
Traffic reaches out to Firewall endpoint Inspection VPC. Origin traffic is forwarded to Palo Alto via GWLB endpoint in Inspection VPC.
2 Default destination is kept.

3 Palo Alto inspects the traffic. It scans the rule then will allow the traffic if rule matchs. If not, then traffic is denied.

4 Finally, origin traffic from Spoke A VPC reaches destination in Spoke B VPC via Transit Gateway

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Inter VPC Architecture
Inter Region
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Model: VPC to VPC
Option 1: Single Inspection

Region 1 Region 2
Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2
Inspection VPC 1: 192.168.1.0/24
TGW 1 Inspection Route Table
GWLBE Subnet 1 GWLBE Subnet 2
Associated with Inspection VPC
and TGW Peering

GWLBE 1 GWLBE 2 Routes:

10.1.1.0/24 via Spoke VPC 1 Attachment
TGW Subnet 1 TGW Subnet 2 10.2.0.0/16 via TGW Peer Attachment

TGW ENI 1 TGW ENI 2

Transit Gateway
Appliance Mode Enabled Cross-Region Peering
on Inspection VPC Attachment

Transit Gateway Transit Gateway

(TGW) 1 (TGW) 2

Spoke VPC 1: 10.1.1.0/24 Spoke VPC 2: 10.2.2.0/24

TGW
TGW 11 Spoke
Spoke ++ Peering
Peering Route
RouteTable
Table TGW 2 Spoke + Peering Route Table
App Subnet 1 App Subnet 2 App Subnet 1 App Subnet 2
Associated with Spoke VPCs and TGW
Associated with Spoke VPCs and TGW Associated with Spoke VPCs
Peering
Peering
Instance 1 Instance 2 Routes: Instance 1 Instance 2
Routes:
Routes: 10.1.0.0/16 via TGW Peer Attachment
TGW Subnet 2 0/0 via Inspection VPC Attachment TGW Subnet 2
TGW Subnet 1 10.2.0.0/16 via TGW Peer Attachment 10.2.2.0/24 via Spoke VPC 2 Attachment TGW Subnet 1
10.1.1.0/24 via Spoke VPC 1 Attachment

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Model: VPC to VPC
Option 1: Single Inspection

Region 1 Region 2
Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2
Inspection VPC 1: 192.168.1.0/24
TGW 1 Inspection Route Table
GWLBE Subnet 1 GWLBE Subnet 2
Associated with Inspection VPC
and TGW Peering

GWLBE 1 GWLBE 2 Routes:

10.1.1.0/24 via Spoke VPC 1 Attachment
TGW Subnet 1 TGW Subnet 2 10.2.0.0/16 via TGW Peer Attachment

TGW ENI 1 TGW ENI 2

Transit Gateway
Appliance Mode Enabled Cross-Region Peering
on Inspection VPC Attachment

Transit Gateway Transit Gateway

(TGW) 1 (TGW) 2

Spoke VPC 1: 10.1.1.0/24 Spoke VPC 2: 10.2.2.0/24

TGW 1 Spoke + Peering Route Table TGW 2 Spoke + Peering Route Table
App Subnet 1 App Subnet 2 App Subnet 1 App Subnet 2
Associated with Spoke VPCs and TGW Associated with Spoke VPCs
Packet Peering Packet
Instance 1 Instance 2 Routes: Instance 1 Instance 2
Routes: 10.1.0.0/16 via TGW Peer Attachment
TGW Subnet 1 TGW Subnet 2 0/0 via Inspection VPC Attachment 10.2.2.0/24 via Spoke VPC 2 Attachment TGW Subnet 1 TGW Subnet 2

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Packet Flow
Centralized Model: VPC to VPC
Option 2: Double Inspection

Region 1 Region 2
Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2
Inspection VPC 1: 192.168.1.0/24 Inspection VPC 2: 192.168.2.0/24
TGW 1 Inspection Route Table TGW 2 Inspection Route Table
GWLBE Subnet 1 GWLBE Subnet 2 GWLBE Subnet 1 GWLBE Subnet 2
Associated with Inspection VPC Associated with Inspection VPC

Routes: Routes:
GWLBE 1 GWLBE 2 10.1.1.0/24 via Spoke VPC 1 Attachment 10.2.2.0/24 via Spoke VPC 2 Attachment GWLBE 1 GWLBE 2
10.2.0.0/16 via TGW Peer Attachment 10.1.0.0/16 via TGW Peer Attachment
TGW Subnet 1 TGW Subnet 2 TGW Subnet 1 TGW Subnet 2

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

Transit Gateway
Appliance Mode Enabled Cross-Region Peering Appliance Mode Enabled
on Inspection VPC Attachment on Inspection VPC Attachment

Transit Gateway Transit Gateway

(TGW) 1 (TGW) 2

Spoke VPC 1: 10.1.1.0/24 Spoke VPC 2: 10.2.2.0/24

TGW 1 Spoke/Peering Route Table TGW 2 Spoke/Peering Route Table
App Subnet 1 App Subnet 2 App Subnet 1 App Subnet 2
Associated with Spoke VPCs Associated with Spoke VPCs
and TGW Peering and TGW Peering
Instance 1 Instance 2 Instance 1 Instance 2
Routes: Routes:
TGW Subnet 1 TGW Subnet 2 0/0 via Inspection VPC 1 Attachment 0/0 via Inspection VPC 2 Attachment TGW Subnet 1 TGW Subnet 2

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized Model: VPC to VPC
Option 2: Double Inspection

Region 1 Region 2
Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2
Inspection VPC 1: 192.168.1.0/24 Inspection VPC 2: 192.168.2.0/24
TGW 1 Inspection Route Table TGW 2 Inspection Route Table
GWLBE Subnet 1 GWLBE Subnet 2 GWLBE Subnet 1 GWLBE Subnet 2
Associated with Inspection VPC Associated with Inspection VPC

Routes: Routes:
GWLBE 1 GWLBE 2 10.1.1.0/24 via Spoke VPC 1 Attachment 10.2.2.0/24 via Spoke VPC 2 Attachment GWLBE 1 GWLBE 2
10.2.0.0/16 via TGW Peer Attachment 10.1.0.0/16 via TGW Peer Attachment
TGW Subnet 1 TGW Subnet 2 TGW Subnet 1 TGW Subnet 2

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

Transit Gateway
Appliance Mode Enabled Cross-Region Peering Appliance Mode Enabled
on Inspection VPC Attachment on Inspection VPC Attachment

Transit Gateway Transit Gateway

(TGW) 1 (TGW) 2

Spoke VPC 1: 10.0.1.0/24 Spoke VPC 3: 10.1.3.0/24

TGW 1 Spoke/Peering Route Table TGW 2 Spoke/Peering Route Table
App Subnet 1 App Subnet 2 App Subnet 1 App Subnet 2
Associated with Spoke VPCs Associated with Spoke VPCs
Packet and TGW Peering and TGW Peering
Packet
Instance 1 Instance 2 Instance 1 Instance 2
Routes: Routes:
TGW Subnet 1 TGW Subnet 2 0/0 via Inspection VPC 1 Attachment 0/0 via Inspection VPC 2 Attachment TGW Subnet 1 TGW Subnet 2

TGW ENI 1 TGW ENI 2 TGW ENI 1 TGW ENI 2

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Packet Flow
 Hybrid Architecture
VPC and On Premises
2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Connectivity to AWS

How is VPN/DX configured on TGW route table?

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Centralized Model: VPC to VPC
DX Co-Location Facility
On Premises
AWS Cloud
Transit VIF
Cross-connect

Customer or AWS Device

Partner
AWS Direct
Device
Connect (DX) TGW Inspection Route Table
Customer or AWS Cage Gateway
Partner
Cage Associated with Inspection VPC

App Subnet 1 and 2 Route Table Routes:

TGW On-Premises
TGW Route
On-Premises Table
Route Table 10.0.1.0/24 via Spoke 1 VPC Attachment
VPC CIDR via Local 172.31.0.0/16 via DX GW Attachment
Summary Route (172.31/16) via TGW Associated
Associatedwith
withDX
DXGW
GW GWLBE Subnet 1 and 2 Route Table
Appliance
Routes:
Routes: Mode Enabled VPC CIDR via Local
Region 1 10.0.1.0/24 via Spoke VPC
0/0 via Inspection VPC Attachment
1 Attachment Summary Route (10/8) via TGW
on Inspection
Availability Zone 1 Availability Zone 2
Summary Route (172.31/16) via TGW
VPC
Availability Zone 1 Availability Zone 2 Attachment
Inspection VPC: 192.168.1.0/24
Spoke VPC 1: 10.0.1.0/24 GWLBE Subnet 1 GWLBE Subnet 2

App Subnet 1 App Subnet 2

Transit Gateway
(TGW) GWLBE 1 GWLBE 2
Instance 1 Instance 2 TGW Subnet 1 TGW Subnet 1
TGW Subnet 1 TGW Subnet 2 TGW Spoke Route Table

Associated with Spoke VPCs

TGW ENI 1 TGW ENI 2
VPC CIDR via Local TGW ENI 2
Spoke VPC TGW Subnet 1 and 2TGW ENITable
Route 1 Routes:
VPC TGW Subnet 1 Route Table
0/0
172.31/16
via Inspection
via DX GW
VPCAttachment
Attachment VPC TGW Subnet 1 Route Table
VPC CIDR via Local
VPC CIDR via Local
VPC CIDR via Local
0/0 via GWLB Endpoint 1
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
0/0 via GWLB Endpoint 1
 Centralized Model: VPC to VPC Packet Flow

DX Co-Location Facility
On Premises
AWS Cloud
Transit VIF
Cross-connect
Packet
Customer or AWS Device
Partner Direct Connect
Device
Gateway
TGW Inspection Route Table
Customer or AWS Cage
Partner
Cage Associated with Inspection VPC

App Subnet 1 and 2 Route Table Routes:

TGW On-Premises Route Table 10.0.1.0/24 via Spoke VPC 1 Attachment
VPC CIDR via Local 172.31.0.0/16 via DX GW Attachment
Summary Route (10/8) via TGW 1 Associated with DX GW GWLBE Subnet 1 and 2 Route Table
Appliance
Routes: Mode Enabled VPC CIDR via Local
Region 1 0/0 via Inspection VPC Attachment Summary Route (10/8) via TGW
on Inspection
Availability Zone 1 Availability Zone 2
Summary Route (172.31/16) via TGW
VPC
Availability Zone 1 Availability Zone 2 Attachment
Inspection VPC: 192.168.1.0/24
Spoke VPC 1: 10.0.1.0/24 GWLBE Subnet 1 GWLBE Subnet 2

App Subnet 1 App Subnet 2

Transit Gateway
Packet (TGW) 1 GWLBE 1 GWLBE 2
Instance 1 Instance 2 TGW Subnet 1 TGW Subnet 1
TGW Subnet 1 TGW Subnet 2 TGW Spoke Route Table

Associated with Spoke VPCs

TGW ENI 1 TGW ENI 2
VPC CIDR via Local TGW ENI 2
Spoke VPC TGW Subnet 1 and 2TGW ENITable
Route 1 Routes:
VPC TGW Subnet 1 Route Table
0/0 via Inspection VPC Attachment VPC TGW Subnet 1 Route Table
VPC CIDR via Local
VPC CIDR via Local
VPC CIDR via Local
0/0 via GWLB Endpoint 1
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.
0/0 via GWLB Endpoint 1
Sample North-South Network Inspection Concept

Application from VPC Spoke A

establishes traffic to Application in
1 on-prem. Traffic is routed to Transit
GW.

Traffic reaches out to Firewall

endpoint Inspection VPC. Origin
2 traffic is forwarded to AWS
Network Firewall in Inspection VPC.
Default destination is kept.

AWS Network Firewall inspects the

traffic. It scans the rule then will
3 allow the traffic if rule matchs. If
not, then traffic is denied.

Finally, origin traffic from Spoke A

4 VPC reaches destination in
Application in on-prem via Transit
Gateway

Note
You can use the same model for inspection of traffic to other AWS Regions using AWS Transit Gateway Inter-Region Peering feature

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.