Hello Shay - great video. I am just missing one point - how TGW decides where to route the traffic from spokes, to TGW net 01 or TGW net 02 in Security VPC?
i was wondering why aws does not simply enables bgp from an appliance that can inject the next hop to the routing table of the tgw and that's it . no need even for static routes etc. it will also solve all the "redundancy" issues and leave it clean... also those with less budget, will not have to use 2 firewalls. you could use only 1. this one will advertise more specific routes and when its gone, the traffic will fall back to "no fw state" where communication would keep smoothly. you would surely not need to use gwlb. nor anything else. or invent new features. plain old networking.
In a scenario with out GWLB, using clusterXL, a transit gw & two spoke VPCs, can you route inbound web traffic directly to your security vpc? Our load balancer is in our VPC & we are just using a N/S architecture. IOW, can you have an IGW on your security VPC? Then, your gw could terminate, decrypt, inspect, encrypt and route that to the appropriate VPC hosting your web server. I'm looking at using clusterXL in my security VPC, not GWLB.
Thanks very helpful.
Hello Shay - great video. I am just missing one point - how TGW decides where to route the traffic from spokes, to TGW net 01 or TGW net 02 in Security VPC?
i was wondering why aws does not simply enables bgp from an appliance that can inject the next hop to the routing table of the tgw and that's it . no need even for static routes etc.
it will also solve all the "redundancy" issues and leave it clean...
also those with less budget, will not have to use 2 firewalls. you could use only 1. this one will advertise more specific routes and when its gone, the traffic will fall back to "no fw state" where communication would keep smoothly.
you would surely not need to use gwlb. nor anything else. or invent new features.
plain old networking.
In a scenario with out GWLB, using clusterXL, a transit gw & two spoke VPCs, can you route inbound web traffic directly to your security vpc? Our load balancer is in our VPC & we are just using a N/S architecture. IOW, can you have an IGW on your security VPC? Then, your gw could terminate, decrypt, inspect, encrypt and route that to the appropriate VPC hosting your web server. I'm looking at using clusterXL in my security VPC, not GWLB.