hello everyone, I can’t understand the behavior of outbound traffic in the figure. For simplicity I have shown only the elements for the traffic to the internet generated by the ec2 in the public-server subnet. I don’t understand whether in the case of a topology with gwlb the inspected outgoing traffic has to be through a nat.
This ec2 has an assigned eip, and in case I put it in a subnet with which it is associated with a routing-table with the 0.0.0.0/0 to the igw the ec2 go out on the internet without problems. Unfortunately, however, when I want to inspect outgoing traffic from the ec2 I modify the routing table of the subnet in which it is located, specifying that the next-hop for the 0.0.0.0/0 is no longer the igw but the vpce-egress. At this point I see traffic passing over the palo alto firewall however the packet does not go out over the Internet.
At this point I tried to analyze the flow with the Reachability Analyzer, the packet is stopped by the igw and I got the following error : IGW_REJECTS_SPOOFED_TRAFFIC -> Internet gateway igw-xxx cannot accept traffic with spoofed addresses from the VPC. Now also analyzing the vpc logs I see the packet from ec2 to 1.1.1.1 (for example) and at the same time also the corresponding packet going from vpce-egress to 1.1.1.1. My guess is that the igw sees a packet coming from the vpce-egress with source the ip of ec2 and destination 1.1.1.1 and then drops the packet with this error. One evidence of this behavior is that if the routing table associated with the subnet where the vpce-egress is located has the route 0.0.0.0/0 with next hop not the igw but a nat-gw, then the packet correctly go out of the igw and goes to the Internet. This I believe because at that point the igw sees a packet coming from the nat with source the private ip of the nat and as destination 1.1.1.1, not falling back to the situation before.
I wanted to know if in this topology, outgoing traffic that needs to be inspected through the vpce-egress must necessarily go through nat first. That is, does the vpce-egress have to be on a subnet with the 0.0.0.0/0 to the nat or is it possible for the endpoint to have a 0.0.0.0/0 route with next hop the igw ? If yes what am I doing wrong and how could I fix it ? If you have other evidence of these behaviors I would be very interested to read about them.
One last question, in light of the reasoning given I don’t understand how the topology traffic presented by palo alto in his documentation (https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer) can work… i.e. if I contact from outside the alb of the web application in the vpc1 app, the response packet cannot follow the 0.0.0.0/0 to the eni tgw in the ec2 subnet because otherwise it would come out natted from the sec vpc. So this means that the reply packet is given by the ec2 to the alb because this behaves like a reverse proxy, correct ? And at this point the alb gives the packet to the ingress endpoint gwlb in the vpc1 app which sends the reply packet to the igw. is this reasoning correct ?
Thank you.