AWS Firewall Manager
AWS Firewall Manager

Shared VPC Host (Public & Private Subnets) + TGW + Security VPC (GWLB); Participant Accounts place ENIs in Shared Subnets

Overview

This architecture uses a Shared VPC model where a central Host Account owns and manages a VPC containing both
Public and Private subnets. Multiple Participant Accounts launch their workloads
(ENIs, EC2 instances, ECS tasks, etc.) directly into these subnets. All inter-VPC and north-south traffic is routed through a
Transit Gateway (TGW) and inspected by a centralized Security VPC hosting
Gateway Load Balancer (GWLB) firewalls.

Key Components

1. Shared VPC Host Account

  • Owns the Shared VPC — including subnets, route tables, and TGW attachments.
  • Contains:
    • Public Subnets (connected to an Internet Gateway):
      • Host Internet-facing components such as ALBs, NAT Gateways, or public EC2 instances.
      • Default route 0.0.0.0/0 → IGW.
    • Private Subnets (non-Internet-facing):
      • Host backend workloads or participant ENIs.
      • Routes for internal CIDRs (e.g., 10.0.0.0/8) point to the TGW attachment.
  • Transit Gateway Attachment:
    • Connects the Shared VPC to the TGW for both east-west and north-south routing.
    • TGW route table determines if traffic is inspected or forwarded to other VPCs.

2. Security Account and Security VPC

  • A dedicated account owned by the security team.
  • Contains the Gateway Load Balancer (GWLB) and firewall appliances
    (e.g., Palo Alto, FortiGate, Check Point, or Suricata).
  • Security VPC details:
    • Subnets per AZ connected to GWLB target groups.
    • TGW attachment with Appliance Mode enabled to maintain flow symmetry.
  • GWLB endpoints are used by the Shared VPC’s private route tables to forward traffic for inspection.

3. Transit Gateway (TGW)

  • Acts as the central routing fabric connecting:
    • The Shared VPC (Host Account)
    • The Security VPC (Security Account)
    • Any additional application or support VPCs in other accounts
  • TGW Route Tables configured for traffic steering:
    • Routes between participant workloads go through the Security VPC for inspection.
    • North-south (Internet-bound) traffic also passes through the Security VPC before reaching the IGW.
    • Blackhole routes prevent direct bypass of inspection.

4. Participant Accounts

  • Do not own a VPC; workloads are deployed into exported subnets of the Shared VPC.
  • Each participant’s ENIs appear within the Shared VPC’s subnets.
  • Participants rely on the Host Account for:
    • Subnet routing configuration
    • Security group and NACL enforcement
    • TGW connectivity and inspection routing

Traffic Flow Scenarios

North–South (Internet Ingress/Egress)

  1. Internet traffic enters via the IGW in the Shared VPC’s Public Subnets.
  2. Traffic passes through ALB/firewall endpoints and then through the GWLB in the Security VPC for inspection.
  3. Allowed traffic is routed via TGW to workloads in private subnets (participant ENIs).
  4. Outbound follows the reverse path — Private → TGW → GWLB → IGW.

East–West (Inter-VPC / Internal Traffic)

  1. Workload in Shared VPC initiates traffic to another internal VPC.
  2. Traffic routes Shared VPC → TGW → Security VPC (inspection) → TGW → destination VPC.
  3. All inter-VPC traffic is centrally monitored and inspected.

Operational Benefits

  • Centralized governance: Host Account owns routing and TGW attachments ensuring policy consistency.
  • Least privilege & separation of duties:
    • Security Account manages firewalls and policies.
    • Host Account manages network infrastructure.
    • Participant Accounts manage only their workloads.
  • Scalable & multi-account compliant: Works under AWS Organizations + RAM.
  • Reduced operational duplication: One shared IGW/NAT/firewall layer for all accounts.
  • Inspection assurance: All traffic (north-south and east-west) passes through GWLB via TGW routing.

Design Best Practices

  • Enable Appliance Mode on the Security VPC TGW attachment for stateful symmetry.
  • Use dedicated TGW route tables for inspected vs. trusted paths.
  • Export both Public and Private subnets to participant accounts for flexible placement.
  • Use AWS Firewall Manager or SCPs to enforce inspection and prevent direct IGW use by participants.
  • Enable VPC Flow Logs and TGW Flow Logs for audit visibility.