Table of contents

Modify route tables

After your Network Security endpoints have successfully deployed, modify the traffic routes in your cloud environment so that traffic is directed to the Network Security endpoints for inspection.

Make route changes in AWS

Use these steps to create or modify your route tables in AWS to route traffic to Network Security.

  1. Navigate to the VPC Dashboard by searching for VPC in the AWS management console.
  2. Under Virtual Private Cloud, click Route Tables.
  3. Click Create route table.
  4. (Optional) To modify an existing route table, click the Route table ID, then click Edit routes in the Routes tab.

Below are examples of different environment configurations to help you setup routing in your cloud environment. Modify your routes depending on the structure of your cloud environment. These examples might not match your environment exactly but can be used as a general guide.

Learn more about AWS route tables.

Network Security endpoint IDs

When the Network Security endpoints are deployed, new subnets are created for these endpoints if you selected that option during deployment. You can find the Network Security subnet IDs from the Network Security management interface on the Hosted Infrastructure page (Network → Hosted Infrastructure). Click on a Network Security endpoint to open the details page for that endpoint, including the subnet ID, located under Environment.

To locate these subnets and modify their associations in AWS, navigate to VPC → Subnets in the AWS management console, and click the subnet ID to make modifications to the subnet. In AWS, the Network Security endpoints appear as Gateway Load Balancer Endpoints, in the format vpce-xxxxxxxxx. Learn more about modifying subnets in AWS.

Modify routes for environments that use an AWS Application Load Balancer (ALB)

This configuration is best suited for cloud environments with assets located behind an Application Load Balancer (ALB). Learn more about this environment example.

In this deployment example, the Network Security endpoints that you just created for each AZ in your environment are placed between the public and private subnets. The Network Security endpoints direct internet traffic to Network Security for inspection before directing the flow of traffic back to your cloud environment. Use the video tutorial below to help you modify your route tables.

Refer to the image below for details on the environment structure and routing for this deployment example. The numbered arrows represent the order of the flow of traffic through the environment. Green represents the uninspected traffic and orange represents the inspected traffic.

Use the following information to edit the routes for each route table. Create the same set of route tables for each AZ in your VPC. From the AWS management console, navigate to the VPC Dashboard, and click Route Tables to create new route tables or modify existing route tables.

Create or modify the public subnet route tables

These route tables are associated with the public subnets and the ALB. The example below shows two route tables, one for each public subnet in each AZ.

Name: (optional) Public subnet route table 1

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
<Private_subnet1_CIDR> Network Security endpoint 1 (shown as vpce-xxxxxxxxx in AWS)
<Private_subnet2_CIDR> Network Security endpoint 2 (shown as vpce-xxxxxxxxx in AWS)
0.0.0.0/0 Internet Gateway

Create subnet association

Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet in the corresponding AZ associated with your public facing assets.

Name: (optional) Public subnet route table 2

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
<Private_subnet1_CIDR> Network Security endpoint 1 (shown as vpce-xxxxxxxxx in AWS)
<Private_subnet2_CIDR> Network Security endpoint 2 (shown as vpce-xxxxxxxxx in AWS)
0.0.0.0/0 Internet Gateway

Create subnet association

Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet in the corresponding AZ associated with your public facing assets.

Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.

Create the Network Security endpoint subnet route tables

These route tables are associated with the Network Security endpoints that you deployed for this VPC. The example below shows two route tables, one for each Network Security endpoint subnet in each AZ.

Name: (optional) Network Security endpoint subnet route table 1

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 NAT Gateway 1

Create subnet association

Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint.

Name: (optional) Network Security endpoint subnet route table 2

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 NAT Gateway 2

Create subnet association

Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint.


Create or modify the private subnet route tables

These route tables are associated with the private subnets and your internal assets. The example below shows two route tables, one for each private subnet in each AZ.

Name: (optional) Private subnet route table 1

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 Network Security endpoint 1 (shown as vpce-xxxxxxxxx in AWS)
<Public_subnet1_CIDR> Network Security endpoint 1 (shown as vpce-xxxxxxxxx in AWS)
<Public_subnet2_CIDR> Network Security endpoint 1 (shown as vpce-xxxxxxxxx in AWS)

Create subnet association

Select the private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the private subnet.

Name: (optional) Private subnet route table 2

VPC: Workload VPC

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 Network Security endpoint 2 (shown as vpce-xxxxxxxxx in AWS)
<Public_subnet1_CIDR> Network Security endpoint 2 (shown as vpce-xxxxxxxxx in AWS)
<Public_subnet2_CIDR> Network Security endpoint 2 (shown as vpce-xxxxxxxxx in AWS)

Create subnet association

Select the private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the private subnet.

Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.

Modify routes for environments with routing at the Edge

This configuration is best suited for cloud environments that include public facing assets, which need protection from inbound internet traffic, but that do not use an ALB. Learn more about this environment example.

In this deployment example, the Network Security endpoint that you just created is placed between the internet gateway and your public subnet. The Network Security endpoint directs internet traffic to Network Security for inspection before directing the flow of traffic back to your cloud environment. Use the video tutorial below to help you modify your route tables.

Refer to the image below for details on the environment structure and routing for this deployment example. The numbered arrows represent the order of the flow of traffic through the environment. Green represents the request and orange represents the response.

Use the following information to edit the routes for each route table. Create the same set of route tables for each AZ in your VPC. From the AWS management console, navigate to the VPC Dashboard, and click Route Tables to create new route tables or modify existing route tables.

We recommend making the route changes in the following order to avoid traffic flow interruptions in your environment.

1. Create the Network Security endpoint subnet route table

This route table is associated with the Network Security endpoints that you deployed for this VPC.

Name: (optional) Network Security endpoint subnet route table

VPC: Workload VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 Internet Gateway

Create subnet association

Select the Network Security endpoint subnet route table, click the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint. Create a subnet association for this route table for each subnet that contains a Network Security endpoint in every AZ.


2. Create or modify the edge association route table

This route table is associated with the Workload VPC. An edge association is required for this route table to route inbound VPC traffic to the Network Security endpoint.

Name: (optional) Edge association route table

VPC: Workload VPC

Add or edit the routes to match the route table example below

Add this route for each AZ in your Workload VPC.

Destination Target
<Workload VPC CIDR> local
<PUBLIC SUBNET CIDR> (for each AZ) Select the Network Security endpoint in the corresponding AZ (shown as vpce-xxxxxxxxx in AWS)

Create the edge association

Create an edge association for this route table. Select the edge association route table, and click on the Edge Associations tab. Click Edit edge associations, select the Internet Gateway and any Virtual Private Gateways that you want to protect, and then click Save changes.


3. Create or modify the public subnet route table

This route table is associated with the public subnet and your internal assets.

Name: (optional) Public subnet route table

VPC: Workload VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 Select the Network Security endpoint in the corresponding AZ (shown as vpce-xxxxxxxxx in AWS)

Create subnet association

Select the public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the public subnet associated with your public facing assets. Create an association for each public subnet route table that you create for each AZ.

Ensure that you create a route table for each of your public subnets that is not associated with the other public subnets.

Modify routes for environments that use a Transit Gateway

This configuration is best suited for cloud environments that use Transit Gateways to connect and route traffic to multiple VPCs. Learn more about this environment example.

Refer to the image below for details on the environment structure and routing for this deployment example. The numbered arrows represent the order of the flow of traffic through the environment. Green represents the request and orange represents the response.

Use the following information to edit the routes for each route table. Create the same set of route tables for each AZ in your VPC. From the AWS management console, navigate to the VPC Dashboard, and click Route Tables to create new route tables or modify existing route tables.

Create or modify the Workload VPC private subnet route table

This route table is associated with the private subnet in your Workload VPC that includes your public facing assets.

Name: (optional) Workload VPC private subnet route table

VPC: Workload VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Workload VPC CIDR> local
0.0.0.0/0 Transit Gateway Attachment

Create subnet association

Create an association for each Workload VPC private subnet route table that you create for each AZ. Select a Workload VPC private subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Workload VPC private subnet for the corresponding AZ.

Create or modify the Transit Gateway attachment subnet route table

This route table is used to connect the Security VPC with the Transit Gateway and is associated with the Transit Gateway attachment subnet.

Name: (optional) Transit Gateway attachment subnet route table

VPC: Security VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Security VPC CIDR> local
0.0.0.0/0 Select the Network Security endpoint in the corresponding AZ. (shown as vpce-xxxxxxxxx in AWS)

Create subnet association

Select the Transit Gateway attachment subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Transit Gateway attachment subnet that you created. Create an association for each Transit Gateway attachment subnet route table that you create for each AZ.


Create the Network Security endpoint subnet route table

This route table is associated with the Network Security endpoints that you deployed for the Security VPC.

Name: (optional) Network Security endpoint subnet route table

VPC: Security VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Security VPC CIDR> local
0.0.0.0/0 NAT Gateway ID for the corresponding AZ
<WORKLOAD_VPC_CIDR> Transit Gateway Attachment

Create subnet association

Select the Network Security endpoint subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the subnet that contains the Network Security endpoint. Create a subnet association for this route table for each subnet that contains a Network Security endpoint in every AZ.


Create or modify the Security VPC public subnet route table

A Security VPC public subnet route table is used to connect the Security VPC to the Internet Gateway.

Name: (optional) Security VPC public subnet route table

VPC: Security VPC

Create this route table for each AZ in your environment.

Add or edit the routes to match the route table example below

Destination Target
<Security VPC CIDR> local
0.0.0.0/0 Internet Gateway ID
<WORKLOAD_VPC_CIDR> Select the Gateway Load Balancer endpoint ID in the corresponding AZ.

Create subnet association

Create an association for each Security VPC public subnet route table that you create for each AZ. Select a Security VPC public subnet route table, click on the Subnet Associations tab, click Edit subnet associations, and select the Security VPC public subnet for the corresponding AZ.


Create or modify your Transit Gateway route tables

To create Transit Gateway route tables, scroll to the bottom of the VPC dashboard, and then click Transit Gateway Route TablesCreate Transit Gateway Route Table.

The diagram example above shows these two routes beneath the Transit Gateway.

If you want to inspect traffic between Workload VPCs and the internet, you can create a single route table, as shown in the diagram above. But if you use multiple VPCs and you want to inspect traffic between these Workload VPCs, create two separate Transit Gateway route tables, as shown below.

Ingress traffic route table

Association: Workload VPC

CIDR Attachment Resource type Route type
0.0.0.0/0 Security VPC Transit Gateway attachment VPC Static

Egress traffic route table

Association: Security VPC

CIDR Attachment Resource type Route type
<Workload VPC IP CIDR> Workload VPC Transit Gateway attachment VPC Propagated