Up and running with AWS Network Firewall - Part 3

Up and running with AWS Network Firewall - Part 3

The third post in my series as I share my learnings with AWS Network Firewall.

If you want to start at the beginning, check out part 1 here and part 2 here.

Let's get into setting up an Inspection VPC across multiple Availability Zones!

The Setup

Building on the example set out in Parts 1 & 2. The following diagram shows our Inspection VPC now has Network Firewall Endpoints across 3 Availability Zones.

As we scale this out, things get a little more complicated so let's break it down.

AWS Network Firewall is a zonal service with an endpoint in each Availability Zone. This is a typical pattern in many AWS services enabling protection against Availability Zone failures.

Due to this service design, each endpoint must process the full end-to-end stream of client traffic.

Each Availability Zone has a route table to pass traffic to the local firewall endpoint to enable this.

The following diagram shows the flow from the Transit Gateway Endpoint through the firewall and back to the Transit Gateway.

  • Traffic enters the Availability Zone via the Transit Gateway Attachment
  • The Route Table forces the traffic to the Network Firewall Endpoint
  • Traffic is allowed or denied
  • The Route Table passes the traffic back to the Transit Gateway attachment

Transit Gateway Appliance Mode

Now that we have an Inspection VPC across multiple Availability Zones, we need to enable "Appliance Mode" on the Transit Gateway Attachment.

This option will force the Transit Gateway to select a single network interface in the Inspection VPC, using a flow hash algorithm, to send traffic to for the life of the flow.

What the hell does that mean?!

Simply put, the traffic will flow forwards and backward without introducing asymmetric routing, which would break the client session.

If we have a client in Availability Zone 1 trying to talk to another client in Availability Zone 2 via the Network Firewall, it won't work without this setting enabled.

I won't attempt to explain this further, as the following posts do it much better than I ever would!



To enable this, run the following command on the target attachment.

modify-transit-gateway-vpc-attachment --transit-gateway-attachment-id twg-attachment-id-xxxxxx --options ApplianceModeSupport=enable


It did take me a little while to realize that I needed to enable Appliance Mode. However, maybe I should read the documentation more before diving in!

In part 4, we will look at the available options for logging and alerting.

I hope this helps someone else!


Did you find this article valuable?

Support Stephen Jones by becoming a sponsor. Any amount is appreciated!