Select Language:
If you’re using a centralized Gateway Load Balancer (GWLB) setup and notice that traffic isn’t flowing symmetrically, it’s likely because of how Transit Gateway manages traffic across different Availability Zones (AZs). By default, the Transit Gateway prefers to keep traffic within the same AZ—this is called AZ affinity. This usually works well, but when you add appliances like firewalls or inspection VPCs into the mix, things can get tricky.
When you only turn on appliance mode for your Inspection VPC attachment, this causes an inconsistency. The Inspection VPC will route traffic through the same appliance in both directions, ignoring AZ boundaries. However, your spoke VPCs stick to their AZ affinity, leading to uneven traffic flow—what we call asymmetric routing.
The solution is to enable appliance mode on all your VPC attachments, including both the Inspection VPC and the spoke VPCs. Doing this aligns the routing behavior across the board, allowing traffic to flow seamlessly through any AZ and ensuring it passes through the same inspection point both ways. The trade-off here is that this setup no longer prioritizes AZ affinity, which might reduce some local traffic optimization. But it’s a necessary step to keep the traffic symmetric, especially when working with stateful firewalls like Fortigate.
Many reference architectures recommend enabling appliance mode only on the Inspection VPC because they assume simpler traffic patterns. But in more complex, multi-AZ environments, especially with centralized inspection, applying it to all attachments is the proven way to avoid asymmetric routing issues. While this approach might add some extra complexity, it ensures that your inspection setup works correctly and your traffic remains symmetrical.
In summary, for a centralized GWLB architecture that needs to keep traffic flowing smoothly and symmetrically, enabling appliance mode on all relevant VPC attachments is the best approach. It might mean giving up some AZ-specific optimization, but it guarantees correct traffic flow for your stateful inspection needs without the complications of deploying inspection appliances in each AZ separately.
ChatGPT
Perplexity
Gemini AI
Grok AI
