Topics on this page
Modify route tables
After your Network Security endpoints have successfully deployed, modify the traffic routes in your cloud environment so that traffic is directed to the Network Security endpoints for inspection.
Make sure that traffic is flowing correctly and as expected in your cloud environment before you make any route changes.
Make route changes manually in AWS
Use these steps to create or modify your route tables in AWS to route traffic to Network Security.
- Navigate to the VPC Dashboard by searching for VPC in the AWS management console.
- Under Virtual Private Cloud, click Route Tables.
- Click Create route table.
- (Optional) To modify an existing route table, click the Route table ID, then click Edit routes in the Routes tab.
Below are examples of different environment configurations to help you setup routing in your cloud environment. Modify your routes depending on the structure of your cloud environment. These examples might not match your environment exactly but can be used as a general guide.
- Modify routes for environments that use an AWS Application Load Balancer (ALB)
- Modify routes for environments with routing at the Edge
- Modify routes for environments that use a Transit Gateway
Learn more about AWS route tables.
Network Security endpoint IDs
When the Network Security endpoints are deployed, new subnets are created for these endpoints if you selected that option during deployment. You can find the Network Security subnet IDs from the Network Security management interface on the Hosted Infrastructure page (Network > Hosted Infrastructure). Click on a Network Security endpoint to open the details page for that endpoint, including the subnet ID, located under Environment.
To locate these subnets and modify their associations in AWS, navigate to VPC > Subnets in the AWS management console, and click the subnet ID to make modifications to the subnet. In AWS, the Network Security endpoints appear as Gateway Load Balancer Endpoints, in the format vpce-xxxxxxxxx. Learn more about modifying subnets in AWS.
Modify routes for environments that use an AWS Application Load Balancer (ALB)
This configuration is best suited for cloud environments that require enhanced protection for ALB targets in a single VPC. Learn more about this environment example.
In this deployment example, the Network Security endpoints that you just created for each AZ in your environment are placed between the public and private subnets. The Network Security endpoints direct internet traffic to Network Security for inspection before directing the flow of traffic back to your cloud environment. Use the video tutorial below to help you modify your route tables.
Refer to the image below for details on the environment structure and routing for this deployment example.
The route tables in the image are the same as the route tables in the steps below.
Use the following steps to create or edit the routes for environments that use an AWS Application Load Balancer (ALB)
1. Create the Network Security endpoint subnet route tables
These route tables send outbound inspected traffic to the NAT Gateway in the corresponding AZ.
These route tables are associated with the Network Security endpoints that you deployed for this VPC. The example below shows two route tables, one for each Network Security endpoint subnet in each AZ.
Name: (optional) Network Security endpoint subnet route table 1
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint.
Name: (optional) Network Security endpoint subnet route table 2
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint.
2. Create or modify the public subnet route tables
These route tables send traffic received by the ALB to the Network Security endpoints before the traffic is sent to the target group in the private subnets. The private subnet CIDRS should point to the Network Security endpoint in the same AZ.
These route tables are associated with the public subnets and the ALB. The example below shows two route tables, one for each public subnet in each AZ.
Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.
Public subnets in different AZs must use different route tables because the public subnet should only send traffic to the Network Security endpoint in the same AZ as that subnet.
Name: (optional) Public subnet route table 1
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet in the corresponding AZ associated with your public facing assets.
Name: (optional) Public subnet route table 2
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet in the corresponding AZ associated with your public facing assets.
3. Create or modify the private subnet route tables
These route tables send traffic from the private subnets to the Network Security endpoints so that outbound traffic is inspected before going to the internet or the public subnets.
These route tables are associated with the private subnets and your internal assets. The example below shows two route tables, one for each private subnet in each AZ.
Name: (optional) Private subnet route table 1
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the private subnet.
Name: (optional) Private subnet route table 2
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the private subnet.
Modify routes for environments with routing at the Edge
This configuration is best suited for cloud environments that include public facing assets, which need protection from inbound internet traffic, but that do not use an ALB. These environments often require protection for public assets in a single VPC. Learn more about this environment example.
In this deployment example, the Network Security endpoint that you just created is placed between the internet gateway and your public subnet. The Network Security endpoint directs internet traffic to Network Security for inspection before directing the flow of traffic back to your cloud environment. Use the video tutorial below to help you modify your route tables.
Refer to the image below for details on the environment structure and routing for this deployment example.
The route tables in the image are the same as the route tables in the steps below.
Use the following steps to create or edit the routes for environments with routing at the Edge
We recommend making the route changes in the following order to avoid traffic flow interruptions in your environment.
1. Create the Network Security endpoint subnet route table
This route table sends all inspected traffic from Network Security to the Internet Gateway.
This route table is associated with the Network Security endpoints that you deployed for this VPC.
Name: (optional) Network Security endpoint subnet route table
VPC: Workload VPC
Add or edit the routes to match the route table example below
Create subnet association
Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint. Create a subnet association for this route table for each subnet that contains a Network Security endpoint in every AZ.
2. Create or modify the edge association route table
This route table sends traffic returning from the internet to the Network Security endpoint for inspection before going to the public subnet.
This route table is associated with the Workload VPC. An edge association is required for this route table to route inbound VPC traffic to the Network Security endpoint.
Name: (optional) Edge association route table
VPC: Workload VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create the edge association
Create an edge association for this route table. Select the edge association route table, and click on the Edge Associations tab. Click Edit edge associations, select the Internet Gateway that you want to protect, and then click Save changes.
3. Create or modify the public subnet route table
This route table sends traffic from the public subnet to the Network Security endpoint so that outbound traffic is inspected before going to the internet.
This route table is associated with the public subnet and your internal assets.
Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.
Public subnets in different AZs must use different route tables because the public subnet should only send traffic to the Network Security endpoint in the same AZ as that subnet.
Name: (optional) Public subnet route table
VPC: Workload VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create subnet association
Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet associated with your public facing assets. Create an association for each public subnet route table that you create for each AZ.
Modify routes for environments that use a Transit Gateway
This configuration is best suited for cloud environments that use Transit Gateways to connect and route traffic to multiple VPCs. These environments often require protection of assets in multiple VPCs connected with a Transit Gateway. Learn more about this environment example.
Refer to the image below for details on the environment structure and routing for this deployment example. The numbered arrows represent the order of the flow of traffic through the environment. Green represents the request and orange represents the response.
The route tables in the image are the same as the route tables in the steps below.
Use the following steps to create or edit the routes for environments that use a Transit Gateway
1. Create or modify the Workload VPC private subnet route table
This route table is associated with the private subnet in your Workload VPC that includes your public facing assets.
Name: (optional) Workload VPC private subnet route table
VPC: Workload VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create subnet association
Create an association for each Workload VPC private subnet route table that you create for each AZ. Select a Workload VPC private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Workload VPC private subnet for the corresponding AZ.
2. Create or modify the Transit Gateway attachment subnet route table
This route table is used to connect the Security VPC with the Transit Gateway and is associated with the Transit Gateway attachment subnet.
Name: (optional) Transit Gateway attachment subnet route table
VPC: Security VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create subnet association
Select the Transit Gateway attachment subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Transit Gateway attachment subnet that you created. Create an association for each Transit Gateway attachment subnet route table that you create for each AZ.
3. Create the Network Security endpoint subnet route table
This route table is associated with the Network Security endpoints that you deployed for the Security VPC.
Name: (optional) Network Security endpoint subnet route table
VPC: Security VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create subnet association
Select the Network Security endpoint subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint. Create a subnet association for this route table for each subnet that contains a Network Security endpoint in every AZ.
4. Create or modify the Security VPC public subnet route table
A Security VPC public subnet route table is used to connect the Security VPC to the Internet Gateway.
Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.
Public subnets in different AZs must use different route tables because the public subnet should only send traffic to the Network Security endpoint in the same AZ as that subnet.
Name: (optional) Security VPC public subnet route table
VPC: Security VPC
Create this route table for each AZ in your environment. Add or edit the routes to match the example below.
Create subnet association
Create an association for each Security VPC public subnet route table that you create for each AZ. Select a Security VPC public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Security VPC public subnet for the corresponding AZ.
5. Create or modify your Transit Gateway route tables
To create Transit Gateway route tables, scroll to the bottom of the VPC dashboard, and then click Transit Gateway Route Tables → Create Transit Gateway Route Table.
The diagram example above shows these two routes beneath the Transit Gateway.
If you want to inspect traffic between Workload VPCs and the internet, you can create a single route table, as shown in the diagram above. But if you use multiple VPCs and you want to inspect traffic between these Workload VPCs, create two separate Transit Gateway route tables, as shown below.
Ingress traffic route table
Association: Workload VPC
Egress traffic route table
Association: Security VPC
