Inspection VPC


Figure 1: Inspection VPC

The Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to the AWS Transit Gateway attachment.

Each Transit Gateway subnet requires a dedicated VPC route table to ensure the traffic is forwarded to the firewall endpoint within the same AZ. These route tables have a default route ( pointing towards the firewall endpoint in the same AZ.

VPC Assigned CIDR
Inspection VPC

AWS Network Firewall is completely transparent to network traffic. In our example, we used CGNAT range ( to preserve IP addresses. Avoid using the inspection VPC for any other workload.