Internet traffic from the Amazon Elastic Compute Cloud (Amazon EC2) instance in the Application virtual private cloud (VPC) is sent through AWS Transit Gateway (TGW) via the VPC-TGW spoke attachment. It is then routed to the inspection VPC following the TGW spoke route table (RTB). Traffic enters the Inspection VPC on the Transit Gateway attachment subnet. The GWLBendpoint forwards the traffic to GWLB; which encapsulates the traffic in Generic Network Virtualization Encapsulation (GENEVE). GENEVE encapsulated traffic is sent for inspection to the SecurityAppliance. Once the traffic is inspected, it is sent back to the GWLB, which is returned to the GWLB endpoint. The return traffic from the internet is sent to the NAT GW by the IGW. The GWLBroutes internet traffic to the NATGateway (NATGW) in the same Availability Zone. Traffic enters the NATGW, and the source IP changes to NAT GW IP. C D The NATGW routes internet traffic to the Internet Gateway(IGW). Traffic leaves for the internet through the IGW. E A The TGW attachment subnet’s route table routes the traffic to the Gateway Load Balancer (GWLB) endpoint in the same Availability Zone. The NAT GW sends return traffic to the GWLB endpoint, in accordance to the NAT GW RTB. The GWLBendpoint sends the return traffic to the GWLB, which encapsulates traffic in GENEVE. GENEVE-encapsulated return traffic is sent for inspection to the Security Appliance. After the return traffic is inspected, it is sent back to the GWLB, which is returned to the GWLB endpoint. F Return traffic is sent back to App VPC 1 via the TGW inspection RTB. Return traffic arrives in the App VPC 1 from the TGW after being inspected by the GWLB, and is locally routed to the source EC2instance.
