

# Middlebox routing wizard
<a name="middlebox-routing-console"></a>

If you want to configure fine-grain control over the routing path of traffic entering or leaving your VPC, for example, by redirecting traffic to a security appliance, you can use the middlebox routing wizard in the VPC console. The middlebox routing wizard helps you by automatically creating the necessary route tables and routes (hops) to redirect traffic as needed.

The middlebox routing wizard can help you configure routing for the following scenarios:
+ Routing traffic to a middlebox appliance, for example, an Amazon EC2 instance that's configured as a security appliance.
+ Routing traffic to a Gateway Load Balancer. For more information, see the [User Guide for Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/).

For more information, see [Middlebox scenarios](middlebox-routing-examples.md).

**Topics**
+ [

## Middlebox routing wizard prerequisites
](#routing-console-rules)
+ [

# Redirect VPC traffic to a security appliance
](working-with-routing-console.md)
+ [

## Middlebox routing wizard considerations
](#console-routes-considerations)
+ [

# Middlebox scenarios
](middlebox-routing-examples.md)

## Middlebox routing wizard prerequisites
<a name="routing-console-rules"></a>

Review [Middlebox routing wizard considerations](#console-routes-considerations). Then, make sure that you have the following information before you use the middlebox routing wizard.
+ The VPC.
+ The resource where traffic originates from or enters the VPC, for example, an internet gateway, virtual private gateway, or network interface.
+ The middlebox network interface or Gateway Load Balancer endpoint.
+ The destination subnet for the traffic.

# Redirect VPC traffic to a security appliance
<a name="working-with-routing-console"></a>

The middlebox routing wizard is available in the Amazon VPC console.

**Topics**
+ [

## 1. Create routes using the middlebox routing wizard
](#creating-routing-console)
+ [

## 2. Modify middlebox routes
](#modify-route)
+ [

## 3. Delete the middlebox routing wizard configuration
](#deleting-routing-console)

## 1. Create routes using the middlebox routing wizard
<a name="creating-routing-console"></a>

**To create routes using the middlebox routing wizard**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Your VPCs**.

1. Select your VPC, and then choose **Actions**, **Manage middlebox routes**.

1. Choose **Create routes**.

1. On the **Specify routes** page, do the following:
   + For **Source**, choose the source for your traffic. If you choose a virtual private gateway, for **Destination IPv4 CIDR**, enter the CIDR for the on-premises traffic entering the VPC from the virtual private gateway.
   + For **Middlebox**, choose the network interface ID that is associated with your middlebox appliance, or when you use a Gateway Load Balancer endpoint, choose the VPC endpoint ID.
   + For **Destination subnet**, choose the destination subnet.

1. (Optional) To add another destination subnet, choose **Add additional subnet**, and then do the following:
   + For **Middlebox**, choose the network interface ID that is associated with your middlebox appliance, or when you use a Gateway Load Balancer endpoint, choose the VPC endpoint ID.

     You must use the same middlebox appliance for multiple subnets.
   + For **Destination subnet**, choose the destination subnet.

1. (Optional) To add another source, choose **Add source**, and then repeat the previous steps.

1. Choose **Next**.

1. On the **Review and create** page, verify the routes and then choose **Create routes**.

## 2. Modify middlebox routes
<a name="modify-route"></a>

You can edit your route configuration by changing the gateway, the middlebox, or the destination subnet.

When you make any modifications, the middlebox routing wizard automatically perform the following operations:
+ Creates new route tables for the gateway, middlebox, and destination subnet.
+ Adds the necessary routes to the new route tables.
+ Disassociates the current route tables that the middlebox routing wizard associated with the resources.
+ Associates the new route tables that the middlebox routing wizard creates with the resources.

**To modify middlebox routes using the middlebox routing wizard**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Your VPCs**.

1. Select your VPC, and then choose **Actions**, **Manage middlebox routes**.

1. Choose **Edit routes**.

1. To change the gateway, for **Source**, choose the gateway through which traffic enters your VPC. If you choose a virtual private gateway, for **Destination IPv4 CIDR**, enter the destination subnet CIDR.

1. To add another destination subnet, choose **Add additional subnet**, and then do the following:
   + For **Middlebox**, choose the network interface ID that is associated with your middlebox appliance, or when you use a Gateway Load Balancer endpoint, choose the VPC endpoint ID.

     You must use the same middlebox appliance for multiple subnets.
   + For **Destination subnet**, choose the destination subnet.

1. Choose **Next**.

1. On the **Review and update** page, a list of route tables and their routes that will be created by the middlebox routing wizard is displayed. Verify the routes, and then in the confirmation dialog box, choose **Update routes**.

## 3. Delete the middlebox routing wizard configuration
<a name="deleting-routing-console"></a>

If you decide that you no longer want the middlebox routing wizard configuration, you must manually delete the route tables.

**To delete the middlebox routing wizard configuration**

1. View the middlebox routing wizard route tables.

   After you perform the operation, the route tables that the middlebox routing wizard created are displayed on a separate route table page. 

1. Delete each route table that is displayed.

## Middlebox routing wizard considerations
<a name="console-routes-considerations"></a>

Take the following into consideration when you use the middlebox routing wizard:
+ If you want to inspect traffic, you can use an internet gateway or a virtual private gateway for the source.
+ If you use the same middlebox in a multiple middlebox configuration within the same VPC, make sure that the middlebox is in the same hop position for both subnets.
+ The appliance must be configured in a separate subnet from the source or destination subnet. 
+ You must disable source/destination checking on the appliance. For more information, see [Changing the Source or Destination Checking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#change_source_dest_check) in the *Amazon EC2 User Guide*.
+ The route tables and routes that the middlebox routing wizard creates count toward your quotas. For more information, see [Route tables](amazon-vpc-limits.md#vpc-limits-route-tables).
+ If you delete a resource, for example a network interface, the route table associations with the resource are removed. If the resource is a target, the route destination is set to blackhole. The route tables are not deleted.
+ The middlebox subnet and the destination subnet must be associated with a non-default route table.
**Note**  
We recommend that you use the middlebox routing wizard to modify or delete any route tables that you created using the middlebox routing wizard.
+ If you use middlebox routing to route through a security appliance, [security group referencing](security-group-rules.md#security-group-referencing) between the source and ultimate destination after inspection is not supported.

# Middlebox scenarios
<a name="middlebox-routing-examples"></a>

Amazon Virtual Private Cloud (VPC) provides a wide range of networking capabilities that allow you to customize and control the routing of traffic within your virtual network. One such feature is the middlebox routing wizard, which enables fine-grained control over the routing path of traffic entering or leaving your VPC.

If you need to redirect traffic to a security appliance, load balancer, or other network device for inspection, monitoring, or optimization purposes, the middlebox routing wizard can simplify the process. This wizard automatically creates the necessary route tables and routes (hops) to redirect the specified traffic as needed, eliminating the manual effort required to set up complex routing configurations.

The middlebox routing wizard supports several different scenarios. For example, you can use it to inspect traffic destined for a particular subnet, configure middlebox traffic routing and inspection across your entire VPC, or selectively inspect traffic between specific subnets. This granular control over traffic routing allows you to implement advanced security policies, enable centralized network monitoring, or optimize the performance of your cloud-based applications.

The following examples describe scenarios for the middlebox routing wizard.

**Topics**
+ [

# Inspect traffic destined for a subnet
](internet-gateway-subnet.md)
+ [

# Configure middlebox traffic routing and inspection in a VPC
](gwlb-route.md)
+ [

# Inspect traffic between subnets
](intra-vpc-route.md)

# Inspect traffic destined for a subnet
<a name="internet-gateway-subnet"></a>

Consider the scenario where you have traffic coming into the VPC through an internet gateway and you want to inspect all traffic that is destined for a subnet, say subnet B, using a firewall appliance installed on an EC2 instance. The firewall appliance should be installed and configured on an EC2 instance in a separate subnet from subnet B in your VPC, say subnet C. You can then use the middlebox routing wizard to configure routes for traffic between subnet B and the internet gateway.

 The middlebox routing wizard, automatically performs the following operations:
+ Creates the following route tables:
  + A route table for the internet gateway
  + A route table for the destination subnet 
  + A route table for the middlebox subnet
+ Adds the necessary routes to the new route tables as described in the following sections.
+ Disassociates the current route tables associated with the internet gateway, subnet B, and subnet C.
+ Associates route table A with the internet gateway (the **Source** in the middlebox routing wizard), route table C with subnet C (the **Middlebox** in the middlebox routing wizard), and route table B with subnet B (the **Destination** in the middlebox routing wizard).
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.

The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.

If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.

![\[Inbound routing to a VPC\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/ingress-routing-firewall-ipv6.png)


## Internet gateway route table
<a name="internet-gateway-igw-route-table"></a>

Add the following routes to the route table for the internet gateway.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| 10.0.0.0/16 | Local | Local route for IPv4 | 
| 10.0.1.0/24 | appliance-eni | Route IPv4 traffic destined for subnet B to the middlebox | 
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 | 
| 2001:db8:1234:1a00::/64 | appliance-eni | Route IPv6 traffic destined for subnet B to the middlebox | 

There is an edge association between the internet gateway and the VPC.

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Destination subnet route table
<a name="internet-gateway-subnet-route-table"></a>

Add the following routes to the route table for the destination subnet (subnet B in the example diagram).


| Destination | Target | Purpose | 
| --- | --- | --- | 
| 10.0.0.0/16 | Local | Local route for IPv4 | 
| 0.0.0.0/0 | appliance-eni | Route IPv4 traffic destined for the internet to the middlebox | 
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 | 
| ::/0 | appliance-eni | Route IPv6 traffic destined for the internet to the middlebox | 

There is a subnet association with the middlebox subnet.

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Middlebox subnet route table
<a name="internet-gateway-middlebox-subnet-route-table"></a>

Add the following routes to the route table for the middlebox subnet (subnet C in the example diagram).


| Destination | Target | Purpose | 
| --- | --- | --- | 
| 10.0.0.0/16 | Local | Local route for IPv4 | 
| 0.0.0.0/0 | igw-id | Route IPv4 traffic to the internet gateway | 
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 | 
| ::/0 | eigw-id | Route IPv6 traffic to the egress-only internet gateway | 

There is a subnet association with the destination subnet.

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

# Configure middlebox traffic routing and inspection in a VPC
<a name="gwlb-route"></a>

Consider the scenario where you need to inspect the traffic entering a VPC from the internet gateway and destined for a subnet, using a fleet of security appliances configured behind a Gateway Load Balancer. The owner of the service consumer VPC creates a Gateway Load Balancer endpoint in a subnet in their VPC (represented by an endpoint network interface). All traffic entering the VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection before it's routed to the application subnet. Similarly, all traffic leaving the application subnet is first routed to Gateway Load Balancer endpoint for inspection before it is routed to the internet.

The middlebox routing wizard automatically performs the following operations:
+ Creates the route tables.
+ Adds the necessary routes to the new route tables.
+ Disassociates the current route tables associated with the subnets.
+ Associates the route tables that the middlebox routing wizard creates with the subnets.
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.

The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.

If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.

![\[Using a Gateway Load Balancer endpoint to access an endpoint service\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-endpoint-service-gwlbe.png)


## Internet gateway route table
<a name="igw-route-table-table"></a>

The route table for the internet gateway has the following routes.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| Consumer VPC CIDR | Local | Local route | 
| Application subnet CIDR | endpoint-id | Routes traffic destined for the application subnet to the Gateway Load Balancer endpoint | 

There is an edge association with the gateway.

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Application subnet route table
<a name="subnet1-route-table-table"></a>

The route table for the application subnet has the following routes.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| Consumer VPC CIDR | Local | Local route | 
| 0.0.0.0/0 | endpoint-id | Route traffic from the application servers to the Gateway Load Balancer endpoint before it is routed to the internet | 

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Provider subnet route table
<a name="subnet2-route-table"></a>

The route table for the provider subnet has the following routes.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| Provider VPC CIDR | Local | Local route. Ensures that traffic originating from the internet is routed to the application servers | 
| 0.0.0.0/0 | igw-id | Routes all traffic to the internet gateway | 

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

# Inspect traffic between subnets
<a name="intra-vpc-route"></a>

Consider the scenario where you have multiple subnets in a VPC and you want to inspect the traffic between them using a firewall appliance. Configure and install the firewall appliance on an EC2 instance in a separate subnet in your VPC.

The following diagram shows a firewall appliance installed on an EC2 instance in subnet C. The appliance inspects all traffic that travels from subnet A to subnet B (see 1) and from subnet B to subnet A (see 2).

![\[Inspect subnet traffic\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/middlebox-intra-vpc_updated.png)


You use the main route table for the VPC and the middlebox subnet. Subnets A and B each have a custom route table.

The middlebox routing wizard, automatically performs the following operations:
+ Creates the route tables.
+ Adds the necessary routes to the new route tables.
+ Disassociates the current route tables associated with the subnets.
+ Associates the route tables that the middlebox routing wizard creates with the subnets.
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.

The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.

If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.

## Custom route table for subnet A
<a name="subneta-route-table-table"></a>

The route table for subnet A has the following routes.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| VPC CIDR | Local | Local route | 
| Subnet B CIDR | appliance-eni | Route traffic destined for subnet B to the middlebox | 

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Custom route table for subnet B
<a name="subnetb-route-table-table"></a>

The route table for subnet B has the following routes.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| VPC CIDR | Local | Local route | 
| Subnet A CIDR | appliance-eni | Route traffic destined for subnet A to the middlebox | 

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")

## Main route table
<a name="example-main-route-table"></a>

Subnet C uses the main route table. The main route table has the following route.


| Destination | Target | Purpose | 
| --- | --- | --- | 
| VPC CIDR | Local | Local route | 

When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")