Traffic from an instance in Spoke VPC A destined to another instance in Spoke VPC B is routed to the Transit Gateway in Region A as per the Spoke VPC A route table. 5 4 The inspection VPC A TGW subnet route table sends all the traffic to the firewall endpoint for transparent inspection. The Transit Gateway (Region A) route table associated with the attachment (Pre-inspection route table) sends all the traffic (0.0.0.0/0) to the inspection VPC A. As per the Transit Gateway (Region A) route table associated with the Inspection VPC A (Post-inspection route table), the traffic is sent to Region B via the Transit Gateway peering. * It is recommended to use Transit Gateway appliance modein the Inspection VPC Transit Gateway attachments to maintain flow symmetry. Workload subnet 10.1.0.0/24 Spoke VPC A (10.1.0.0/16) Availability Zone A Amazon EC2 Instance TGW subnet 10.1.1.0/28 TGW ENI Spoke VPC A route table Destination Target 10.1.0.0/16 local 0.0.0.0/0 tgw-id Firewall subnet 100.64.0.16/28 Inspection VPC A (100.64.0.0/26) Availability Zone A TGW subnet 100.64.0.0/28 TGW ENI Firewall endpoint Workload subnet 10.2.0.0/24 Spoke VPC B (10.2.0.0/16) Availability Zone A TGW subnet 10.2.1.0/28 TGW ENI Inspection VPC B (100.64.1.0/26) Availability Zone A TGW ENI Firewall endpoint Region A Region B AWS Transit Gateway Region A Pre-inspection route table CIDR Attachment 0.0.0.0/0 Inspection VPC Post-inspection route table CIDR Attachment 10.1.0.0/16 Spoke VPC A 10.2.0.0/16 TGW peering AWS Transit Gateway Region B Pre-inspection route table CIDR Attachment 0.0.0.0/0 Inspection VPC Postinspection route table CIDR Attachment 10.1.0.0/16 TGW peering 10.2.0.0/16 Spoke VPC B TGW association TGW association TGW Association TGW association Peering association Peering association 1 2 3 4 5 6 7 8 9 10 The allowed traffic is forwarded back to the TGW ENI. As per the Transit Gateway (Region B) route table associated with the Transit Gateway peering (Pre-inspection route table), the traffic is sent to the inspection VPC B for inspection. 6 The inspection VPC B TGW subnet route table sends all the traffic to the firewall endpoint for transparent inspection. 7 8 The allowed traffic is forwarded back to the TGW ENI. As per the Transit Gateway (Region B) route table associated with the inspection VPC A (Post-inspection route table), the traffic is sent to Spoke VPC B. 9 10 Traffic is forwarded to the destination –the Amazon EC2 instance in Spoke VPC B.
