@aleksandar.astardzhiev Thank you again for response. It's getting clearer. If I'm understanding correctly, if I have 5 VPCs (workloads) + 1 Security VPC(FWs), each of the 5 VPCs will have their own GWLBe, and the security VPC will have two GWLBe (one for outbound and one for east/west). All 5 VPCs should map to the same sub-interface and I should probably call that firewall zone "east-west" For firewall policy rule creation for things I need to limit/inspect, I should do source zone east-west, source address x.x.x.x, destination zone east-west, destination address x.x.x.x Continuing with that logic, if I understand correct, then I should assume if an EC2 instance in VPC-A is going to the internet, I should expect to see on the firewall logs source zone outbound, destination zone outbound? I just want to mention that in my security VPC, I was not creating multiple GWLBe, for each zone. In case that wasn't clear.
... View more