topic Help with AWS routing tables for CloudGuard with AWS GWLB, Transit Gateway in Cloud Firewall https://community.checkpoint.com/t5/Cloud-Firewall/Help-with-AWS-routing-tables-for-CloudGuard-with-AWS-GWLB/m-p/167356#M583 <P>Hi,</P><P>I am trying to configure an environment per&nbsp;<A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Content/Topics-AWS-GWLB-VPC-TGW-DG/Deploying-a-GWLB-Security-VPC-for-Transit-Gateway.htm?tocpath=Deploying%20a%20GWLB%20Security%20VPC%20for%20Transit%20Gateway%7C_____0#Step_3__Deploy_the_Check_Point_Security_Management_Server_(SMS)" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Content/Topics-AWS-GWLB-VPC-TGW-DG/Deploying-a-GWLB-Security-VPC-for-Transit-Gateway.htm?tocpath=Deploying%20a%20GWLB%20Security%20VPC%20for%20Transit%20Gateway%7C_____0#Step_3__Deploy_the_Check_Point_Security_Management_Server_(SMS)</A>&nbsp;</P><P>1. Transit&nbsp; Gateway</P><P>2. Scale set and GWLB</P><P>3. 1 spoke VPC</P><P>4. Trying to set up an internet-facing load balancer in the spoke VPC pointing to a workload in the spoke VPC, such that the traffic is inspected by Cloud Guard, ie the optional step in the guide "Configure Inbound traffic to spoke VPCs"</P><P>The guide referred to above has a diagram for all the required routes in all routing tables to achieve this. I believe I have followed this (double-checked all). I have set up separate route tables for&nbsp; all spoke VPC subnets.</P><P>The external load balancer/workload setup works correctly when I set the default route of the spoke load balancer subnet to the IGW, however obviously the traffic bypasses CheckPoint.</P><P>When I set the default route of the spoke load balancer subnet to the GWLBe which is how the guide says it should be, I can see the traffic enter the workload instance, but the traffic does not seem to be being passed to the security VPC.</P><P>My question:</P><P>Can you point me to any resources (videos, documents) that cover this use case and the routing in a bit more detail for this CloudGuard set up? It may be that I am interpreting the document incorrectly or missing a vital piece of information.</P><P>Thanks in advance,</P><P>&nbsp;</P><P>Andrew</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Jan 2023 21:48:13 GMT AK2 2023-01-10T21:48:13Z Help with AWS routing tables for CloudGuard with AWS GWLB, Transit Gateway https://community.checkpoint.com/t5/Cloud-Firewall/Help-with-AWS-routing-tables-for-CloudGuard-with-AWS-GWLB/m-p/167356#M583 <P>Hi,</P><P>I am trying to configure an environment per&nbsp;<A href="https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Content/Topics-AWS-GWLB-VPC-TGW-DG/Deploying-a-GWLB-Security-VPC-for-Transit-Gateway.htm?tocpath=Deploying%20a%20GWLB%20Security%20VPC%20for%20Transit%20Gateway%7C_____0#Step_3__Deploy_the_Check_Point_Security_Management_Server_(SMS)" target="_blank">https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_Security_VPC_for_Transit_Gateway/Content/Topics-AWS-GWLB-VPC-TGW-DG/Deploying-a-GWLB-Security-VPC-for-Transit-Gateway.htm?tocpath=Deploying%20a%20GWLB%20Security%20VPC%20for%20Transit%20Gateway%7C_____0#Step_3__Deploy_the_Check_Point_Security_Management_Server_(SMS)</A>&nbsp;</P><P>1. Transit&nbsp; Gateway</P><P>2. Scale set and GWLB</P><P>3. 1 spoke VPC</P><P>4. Trying to set up an internet-facing load balancer in the spoke VPC pointing to a workload in the spoke VPC, such that the traffic is inspected by Cloud Guard, ie the optional step in the guide "Configure Inbound traffic to spoke VPCs"</P><P>The guide referred to above has a diagram for all the required routes in all routing tables to achieve this. I believe I have followed this (double-checked all). I have set up separate route tables for&nbsp; all spoke VPC subnets.</P><P>The external load balancer/workload setup works correctly when I set the default route of the spoke load balancer subnet to the IGW, however obviously the traffic bypasses CheckPoint.</P><P>When I set the default route of the spoke load balancer subnet to the GWLBe which is how the guide says it should be, I can see the traffic enter the workload instance, but the traffic does not seem to be being passed to the security VPC.</P><P>My question:</P><P>Can you point me to any resources (videos, documents) that cover this use case and the routing in a bit more detail for this CloudGuard set up? It may be that I am interpreting the document incorrectly or missing a vital piece of information.</P><P>Thanks in advance,</P><P>&nbsp;</P><P>Andrew</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Jan 2023 21:48:13 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Help-with-AWS-routing-tables-for-CloudGuard-with-AWS-GWLB/m-p/167356#M583 AK2 2023-01-10T21:48:13Z Re: Help with AWS routing tables for CloudGuard with AWS GWLB, Transit Gateway https://community.checkpoint.com/t5/Cloud-Firewall/Help-with-AWS-routing-tables-for-CloudGuard-with-AWS-GWLB/m-p/167358#M584 <P>Hi,&nbsp;</P><P>Sorry to reply to my own post however it seems I have made some progress following the AWS documentation here&nbsp;<A href="https://protect-eu.mimecast.com/s/tgowC1j0PTOjwWEnhLUNkL?domain=docs.aws.amazon.com" target="_blank">https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html</A></P><P>Cheers,</P><P>&nbsp;</P><P>Andrew</P><P>&nbsp;</P> Tue, 10 Jan 2023 22:59:46 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Help-with-AWS-routing-tables-for-CloudGuard-with-AWS-GWLB/m-p/167358#M584 AK2 2023-01-10T22:59:46Z