Edit Route Tables

Edit appropriate route tables to add routes:

In this activity you will you will edit route tables and add routes to allow desired traffic to flow through firewall for inspection. You will also add routes for traffic to egress out to Internet.

Carefully add routes. If routes are not added properly, your lab won’t work.

Spoke VPC A Rout Table:

  • Go to VPC > Route Tables and filter for spoke-vpc-a-workload-subnet-rtb-a-anfw-centralized
  • Add default route to Transit Gateway:

Spoke VPC B Rout Table:

  • Go to VPC > Route Tables and filter for spoke-vpc-b-workload-subnet-rtb-b-anfw-centralized

and add default route to Transit Gateway

Inspection VPC Rout Table:

1. Add routes to firewall route tables:
  1. Add default route with Transit Gateway as the destination to inspection vpc firewall route tables:
    • Availability Zone A:

    Go to VPC > Route Tables and filter for inspection-vpc-firewall-rtb-a-anfw-centralized

and add default route to Transit Gateway

  • Availability Zone A:

    Go to VPC > Route Tables and filter for inspection-vpc-firewall-rtb-b-anfw-centralized

and add default route to Transit Gateway

2. Add routes to tgw route table:
  1. Add default route with firewall endpoint as the destination to inspection vpc tgw route tables:
  • Availability Zone A:

    Go to VPC > Route Tables and filter for inspection-vpc-tgw-rtb-a-anfw-centralized

From the drop down select Gateway Load Balancer Endpoint

Firewall endpoints are zonal. Make sure you select zonal vpce-id. For Availability Zone A select corresponding vpce-id

  • Availability Zone B:

    Repeat step for route table in another Availability Zone:

    Go to VPC > Route Tables and filter for inspection-vpc-tgw-rtb-a-anfw-centralized and repeat the steps to add another vpce-id as the target.

Firewall endpoints are zonal. Make sure you select zonal vpce-id. For Availability Zone B select corresponding vpce-id

Egress VPC Rout Table:

1. Add routes to public route table:
  1. Default route with Internet gateway as the destination
  2. Supernet route (10.0.0.0/8) route with with transit gateway as the destination
  • Availability Zone A:

    Go to VPC > Route Tables and filter for egress-vpc-public-rtb-a-anfw-centralized

  • Availability Zone B:

    Go to VPC > Route Tables and filter for egress-vpc-public-rtb-b-anfw-centralized

2, Add routes to tgw route table:
  1. Add default route with nat gateway as the destination:
  • Availability Zone A:

Make sure you select Availability Zone A specific NAT gateway.

Go to VPC > Route Tables and filter for egress-vpc-tgw-rtb-a-anfw-centralized

  • Availability Zone B:

Make sure you select Availability Zone B specific NAT gateway.

Go to VPC > Route Tables and filter for egress-vpc-tgw-rtb-b-anfw-centralized

Transit Gateway Route Table:

1. Add routes to transit gateway spoke route table:
  1. Default route with tgw-inspection-vpc-attachment as the destination

Go to VPC > Transit Gateway Route Tables and filter for tgw-spoke-rtb-anfw-centralized

2. Add routes to transit gateway inspection route table:
  1. Add default route with tgw-egress-vpc-attachment as the destination
  2. Add Spoke VPC A CIDR 10.1.0.0/16 with tgw-spoke-vpc-a-attachment
  3. Add Spoke VPC B CIDR 10.2.0.0/16 with tgw-spoke-vpc-b-attachment

Go to VPC > Transit Gateway Route Tables and filter for tgw-inspection-rtb-anfw-centralized

3. Add routes to transit gateway egress route table:
  1. Default route with tgw-inspection-vpc-attachment as the destination

Go to VPC > Transit Gateway Route Tables and filter for tgw-egress-rtb-anfw-centralized