06-25-2025 03:39 PM
Attending a class about cloud security - AWS, Its mentioned that we can have 2 different subnets, SubnetA connected to internet gateway for ingress traffic and SubnetB connected to NAt gateway for egress traffic. An this should/have to be done how transit gateway routes play out, and is architectured as such to allow for traffic inspection with NVA's like palo to allow for inspection before traffic hits the actual server.
Considering above a user connecting to internal webserver from outside, will get in through internet gateway(1.1.1.1), while the return traffic will be out through NAT gateway(2.2.2.2) creating asymmetrical traffic.
We are told return traffic to user behind their firewall(3.3.3.3) will not be an issue, although return traffic for the same NAT session will be arriving from different IP(2.2.2.2) but was sent to (1.1.1.1). That is because traffic will be matched to the NAT session id and not to the actual ip addresses.
How accurate is above statement, I am not able to test this in my environment. My understanding was NAT session and IP details all have to match for matching the session.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
