Hi all, First, I 'm pretty with AWS... VPC is configured in the range 10.0.0.0/16. I have a firewall (PA VM) deployed with 3 interfaces (Untrust, DMZ, Trust). Untrust: 10.0.0.0/24, Internal : 10.0.1.0/24 (FW.1) , DMZ : 10.0.99.0/24 (FW.1). I created 3 Routing tables for each zone and assign each subnet into the RT. I changed the default route for routing table DMZ and Internal, pointing to the FW. Because each routing table (focusing on DMZ and Trust here) has a default entry (10.0.0.0/16) pointing to local that cannot be changed, it's possible to pass traffic from DMZ to Internal WITHOUT traversing the firewall. I created two self referencing security group (SG-TRUST and SG-DMZ) and assign it to each ENI (FW ENI and host ENI). Now traffic is blocked (so bypassing fw is not possible anymore) but routes needs to be added on each host to pass traffic from Trust to DMZ (and reverse) ON DMZ Host 10.0.1.0/24 gw 10.0.1.99.1 (FW) ON Internal Host 10.0.99.0/24 gw 10.0.1.1 (FW) Is it possible to avoid creating this static routes on the host and force traffic to traverse the firewall (configuration on the routing table) ? Regards, HA
... View more