hi there everybody, I am unable to perceive the habits of outbound visitors within the determine. For simplicity I’ve proven solely the weather for the visitors to the web generated by the ec2 within the public-server subnet. I do not perceive whether or not within the case of a topology with gwlb the inspected outgoing visitors needs to be via a nat.
This ec2 has an assigned eip, and in case I put it in a subnet with which it’s related to a routing-table with the 0.0.0.0/0 to the igw the ec2 exit on the web with out issues. Sadly, nonetheless, once I wish to examine outgoing visitors from the ec2 I modify the routing desk of the subnet wherein it’s positioned, specifying that the next-hop for the 0.0.0.0/0 is not the igw however the vpce-egress. At this level I see visitors passing over the palo alto firewall nonetheless the packet doesn’t exit over the Web.
At this level I attempted to investigate the movement with the Reachability Analyzer, the packet is stopped by the igw and I received the next error : IGW_REJECTS_SPOOFED_TRAFFIC -> Web gateway igw-xxx can not settle for visitors with spoofed addresses from the VPC. Now additionally analyzing the vpc logs I see the packet from ec2 to 1.1.1.1 (for instance) and on the similar time additionally the corresponding packet going from vpce-egress to 1.1.1.1. My guess is that the igw sees a packet coming from the vpce-egress with supply the ip of ec2 and vacation spot 1.1.1.1 after which drops the packet with this error. One proof of this habits is that if the routing desk related to the subnet the place the vpce-egress is positioned has the route 0.0.0.0/0 with subsequent hop not the igw however a nat-gw, then the packet accurately exit of the igw and goes to the Web. This I imagine as a result of at that time the igw sees a packet coming from the nat with supply the personal ip of the nat and as vacation spot 1.1.1.1, not falling again to the scenario earlier than.
I needed to know if on this topology, outgoing visitors that must be inspected via the vpce-egress should essentially undergo nat first. That’s, does the vpce-egress should be on a subnet with the 0.0.0.0/0 to the nat or is it potential for the endpoint to have a 0.0.0.0/0 route with subsequent hop the igw ? If sure what am I doing flawed and the way may I repair it ? When you’ve got different proof of those behaviors I might be very to examine them.
One final query, in gentle of the reasoning given I do not perceive how the topology visitors introduced by palo alto in his documentation (https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer) can work… i.e. if I contact from exterior the alb of the net utility within the vpc1 app, the response packet can not observe the 0.0.0.0/0 to the eni tgw within the ec2 subnet as a result of in any other case it could come out natted from the sec vpc. So which means that the reply packet is given by the ec2 to the alb as a result of this behaves like a reverse proxy, right ? And at this level the alb offers the packet to the ingress endpoint gwlb within the vpc1 app which sends the reply packet to the igw. is that this reasoning right ?
Thanks.