Figure 1: Inspection VPC
The Inspection VPC consists of two subnets in each AZs. One subnet is a dedicated firewall endpoint subnet and second is dedicated to the AWS Transit Gateway attachment.
Each Transit Gateway subnet requires a dedicated VPC route table to ensure the traffic is forwarded to the firewall endpoint within the same AZ. These route tables have a default route (0.0.0.0/0) pointing towards the firewall endpoint in the same AZ.
AWS Network Firewall is completely transparent to network traffic. In our example, we used CGNAT range (100.64.0.0/16) to preserve IP addresses. Avoid using the inspection VPC for any other workload.