Inspect traffic between subnets - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Inspect traffic between subnets

Consider the scenario where you have multiple subnets in a VPC and you want to inspect the traffic between them using a firewall appliance. Configure and install the firewall appliance on an EC2 instance in a separate subnet in your VPC.

The following diagram shows a firewall appliance installed on an EC2 instance in subnet C. The appliance inspects all traffic that travels from subnet A to subnet B (see 1) and from subnet B to subnet A (see 2).


                Inspect subnet traffic

You use the main route table for the VPC and the middlebox subnet. Subnets A and B each have a custom route table.

The middlebox routing wizard, automatically performs the following operations:

  • Creates the route tables.

  • Adds the necessary routes to the new route tables.

  • Disassociates the current route tables associated with the subnets.

  • Associates the route tables that the middlebox routing wizard creates with the subnets.

  • Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.

The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.

If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.

Custom route table for subnet A

The route table for subnet A has the following routes.

Destination Target Purpose
VPC CIDR Local Local route
Subnet B CIDR appliance-eni Route traffic destined for subnet B to the middlebox

When you use the middlebox routing wizard, it associates the following tags with the route table:

  • The key is "Origin" and the value is "Middlebox wizard"

  • The key is "date_created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

Custom route table for subnet B

The route table for subnet B has the following routes.

Destination Target Purpose
VPC CIDR Local Local route
Subnet A CIDR appliance-eni Route traffic destined for subnet A to the middlebox

When you use the middlebox routing wizard, it associates the following tags with the route table:

  • The key is "Origin" and the value is "Middlebox wizard"

  • The key is "date_created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

Main route table

Subnet C uses the main route table. The main route table has the following route.

Destination Target Purpose
VPC CIDR Local Local route

When you use the middlebox routing wizard, it associates the following tags with the route table:

  • The key is "Origin" and the value is "Middlebox wizard"

  • The key is "date_created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")