Inspection VPC

inspection_vpc

Figure 1: Inspection VPC

The Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to the AWS Transit Gateway attachment.

Each Transit Gateway subnet requires a dedicated VPC route table to ensure the traffic is forwarded to the firewall endpoint within the same AZ. These route tables have a default route (0.0.0.0/0) pointing towards the firewall endpoint in the same AZ.

VPC Assigned CIDR
Inspection VPC 100.64.0.0/16

AWS Network Firewall is completely transparent to network traffic. In our example, we used CGNAT range (100.64.0.0/16) to preserve IP addresses. Avoid using the inspection VPC for any other workload.