Hey everyone! I'm finishing up my training program at work and have one last design project to complete on AWS. To be honest, networking isn't my strongest area, and I'm struggling with routing issues. Specifically, I'm having trouble pinging instances across different accounts that are connected through a Transit Gateway (TGW). I haven't deployed the firewall yet; I'm just trying to figure out the routing. Does anyone have a good video or resource that can help with this setup? I've seen some using Palo Alto, but I'm not looking to purchase a license just for training purposes.
3 Answers
Definitely look at your flow logs. Start with the VPC flow logs for your instance, then check the TGW flow logs, and finally the logs of the target EC2 instance for your ping request and response. The flow log structure is straightforward, and you can also use the Reachability Analyzer or the AWS CLI to troubleshoot and analyze your logs!
Start by checking the routing tables used by the instances. Make sure there's a route that points through the TGW to the other VPC/account. Also, inspect the associated transit gateway routing table for a route to the destination VPC. That could be where the problem lies!
Thanks for the tip! It got me to create a network diagram in Lucidchart, and I already spotted an oversight—forgot to attach the target groups to the GWLB! Gonna finish the rest of my accounts now.
If you plan to use the AWS Network Firewall, you actually don’t need to set up a GWLB, since the Network Firewall manages things behind the scenes. You'll just work with the Firewall endpoints. Only set up a GWLB if you’re using a third-party firewall.
Ah, that’s kind of frustrating. Can GWLB still work alongside AWS Network Firewall? The principal engineer who assigned this project mentioned using it, so I’m curious if it’s possible or if I should just scrap that idea altogether.
Thanks for the suggestions! After writing this post, I started using Lucidchart to visualize everything better. Then I took a break for my sanity, and when I returned, I realized I hadn’t attached my GWLB target groups to the GWLB—big oversight! I’ll be checking the flow logs next.