Figure 1: Internet Egress VPC
For this workshop, we also deploy a dedicated, Egress VPC which has NAT gateway configured in a public subnet with access to IGW.
Traffic originating from spoke VPCs is forwarded to the Inspection VPC for processing. It is then forwarded to the Egress VPC using a default route in the Transit Gateway firewall route table. You can use a NAT gateway to enable workloads in private subnets from spoke VPCs to connect to the Internet or AWS services in public IP space. You can also use a NAT instance or a partner solution from AWS Marketplace instead of a NAT gateway. You can find more information about different partners under the AWS Network Competency Program.
|Internet Egress VPC D||10.10.0.0/16|
It is also possible to deploy AWS Network Firewall inside the Egress VPC, but is not covered in this workshop. For more details see Combined Deployment Model section here.