# Middlebox scenarios
Amazon Virtual Private Cloud (VPC) provides a wide range of networking capabilities that allow you to customize and control the routing of traffic within your virtual network. One such feature is the middlebox routing wizard, which enables fine-grained control over the routing path of traffic entering or leaving your VPC.
If you need to redirect traffic to a security appliance, load balancer, or other network device for inspection, monitoring, or optimization purposes, the middlebox routing wizard can simplify the process. This wizard automatically creates the necessary route tables and routes (hops) to redirect the specified traffic as needed, eliminating the manual effort required to set up complex routing configurations.
The middlebox routing wizard supports several different scenarios. For example, you can use it to inspect traffic destined for a particular subnet, configure middlebox traffic routing and inspection across your entire VPC, or selectively inspect traffic between specific subnets. This granular control over traffic routing allows you to implement advanced security policies, enable centralized network monitoring, or optimize the performance of your cloud-based applications.
The following examples describe scenarios for the middlebox routing wizard.
**Topics**
+ [Inspect traffic destined for a subnet](internet-gateway-subnet.md)
+ [Configure middlebox traffic routing and inspection in a VPC](gwlb-route.md)
+ [Inspect traffic between subnets](intra-vpc-route.md)
# Inspect traffic destined for a subnet
Consider the scenario where you have traffic coming into the VPC through an internet gateway and you want to inspect all traffic that is destined for a subnet, say subnet B, using a firewall appliance installed on an EC2 instance. The firewall appliance should be installed and configured on an EC2 instance in a separate subnet from subnet B in your VPC, say subnet C. You can then use the middlebox routing wizard to configure routes for traffic between subnet B and the internet gateway.
The middlebox routing wizard, automatically performs the following operations:
+ Creates the following route tables:
+ A route table for the internet gateway
+ A route table for the destination subnet
+ A route table for the middlebox subnet
+ Adds the necessary routes to the new route tables as described in the following sections.
+ Disassociates the current route tables associated with the internet gateway, subnet B, and subnet C.
+ Associates route table A with the internet gateway (the **Source** in the middlebox routing wizard), route table C with subnet C (the **Middlebox** in the middlebox routing wizard), and route table B with subnet B (the **Destination** in the middlebox routing wizard).
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.
The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.
If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.
![\[Inbound routing to a VPC\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/ingress-routing-firewall-ipv6.png)
## Internet gateway route table
Add the following routes to the route table for the internet gateway.
| Destination | Target | Purpose |
| --- | --- | --- |
| 10.0.0.0/16 | Local | Local route for IPv4 |
| 10.0.1.0/24 | appliance-eni | Route IPv4 traffic destined for subnet B to the middlebox |
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 |
| 2001:db8:1234:1a00::/64 | appliance-eni | Route IPv6 traffic destined for subnet B to the middlebox |
There is an edge association between the internet gateway and the VPC.
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Destination subnet route table
Add the following routes to the route table for the destination subnet (subnet B in the example diagram).
| Destination | Target | Purpose |
| --- | --- | --- |
| 10.0.0.0/16 | Local | Local route for IPv4 |
| 0.0.0.0/0 | appliance-eni | Route IPv4 traffic destined for the internet to the middlebox |
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 |
| ::/0 | appliance-eni | Route IPv6 traffic destined for the internet to the middlebox |
There is a subnet association with the middlebox subnet.
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Middlebox subnet route table
Add the following routes to the route table for the middlebox subnet (subnet C in the example diagram).
| Destination | Target | Purpose |
| --- | --- | --- |
| 10.0.0.0/16 | Local | Local route for IPv4 |
| 0.0.0.0/0 | igw-id | Route IPv4 traffic to the internet gateway |
| 2001:db8:1234:1a00::/56 | Local | Local route for IPv6 |
| ::/0 | eigw-id | Route IPv6 traffic to the egress-only internet gateway |
There is a subnet association with the destination subnet.
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
# Configure middlebox traffic routing and inspection in a VPC
Consider the scenario where you need to inspect the traffic entering a VPC from the internet gateway and destined for a subnet, using a fleet of security appliances configured behind a Gateway Load Balancer. The owner of the service consumer VPC creates a Gateway Load Balancer endpoint in a subnet in their VPC (represented by an endpoint network interface). All traffic entering the VPC through the internet gateway is first routed to the Gateway Load Balancer endpoint for inspection before it's routed to the application subnet. Similarly, all traffic leaving the application subnet is first routed to Gateway Load Balancer endpoint for inspection before it is routed to the internet.
The middlebox routing wizard automatically performs the following operations:
+ Creates the route tables.
+ Adds the necessary routes to the new route tables.
+ Disassociates the current route tables associated with the subnets.
+ Associates the route tables that the middlebox routing wizard creates with the subnets.
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.
The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.
If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.
![\[Using a Gateway Load Balancer endpoint to access an endpoint service\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/vpc-endpoint-service-gwlbe.png)
## Internet gateway route table
The route table for the internet gateway has the following routes.
| Destination | Target | Purpose |
| --- | --- | --- |
| Consumer VPC CIDR | Local | Local route |
| Application subnet CIDR | endpoint-id | Routes traffic destined for the application subnet to the Gateway Load Balancer endpoint |
There is an edge association with the gateway.
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Application subnet route table
The route table for the application subnet has the following routes.
| Destination | Target | Purpose |
| --- | --- | --- |
| Consumer VPC CIDR | Local | Local route |
| 0.0.0.0/0 | endpoint-id | Route traffic from the application servers to the Gateway Load Balancer endpoint before it is routed to the internet |
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Provider subnet route table
The route table for the provider subnet has the following routes.
| Destination | Target | Purpose |
| --- | --- | --- |
| Provider VPC CIDR | Local | Local route. Ensures that traffic originating from the internet is routed to the application servers |
| 0.0.0.0/0 | igw-id | Routes all traffic to the internet gateway |
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
# Inspect traffic between subnets
Consider the scenario where you have multiple subnets in a VPC and you want to inspect the traffic between them using a firewall appliance. Configure and install the firewall appliance on an EC2 instance in a separate subnet in your VPC.
The following diagram shows a firewall appliance installed on an EC2 instance in subnet C. The appliance inspects all traffic that travels from subnet A to subnet B (see 1) and from subnet B to subnet A (see 2).
![\[Inspect subnet traffic\]](http://docs.aws.amazon.com/vpc/latest/userguide/images/middlebox-intra-vpc_updated.png)
You use the main route table for the VPC and the middlebox subnet. Subnets A and B each have a custom route table.
The middlebox routing wizard, automatically performs the following operations:
+ Creates the route tables.
+ Adds the necessary routes to the new route tables.
+ Disassociates the current route tables associated with the subnets.
+ Associates the route tables that the middlebox routing wizard creates with the subnets.
+ Creates a tag that indicates it was created by the middlebox routing wizard, and a tag that indicates the creation date.
The middlebox routing wizard does not modify your existing route tables. It creates new route tables, and then associates them with your gateway and subnet resources. If your resources are already explicitly associated with existing route tables, the existing route tables are first disassociated, and then the new route tables are associated with your resources. Your existing route tables are not deleted.
If you do not use the middlebox routing wizard, you must manually configure, and then assign the route tables to the subnets and internet gateway.
## Custom route table for subnet A
The route table for subnet A has the following routes.
| Destination | Target | Purpose |
| --- | --- | --- |
| VPC CIDR | Local | Local route |
| Subnet B CIDR | appliance-eni | Route traffic destined for subnet B to the middlebox |
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Custom route table for subnet B
The route table for subnet B has the following routes.
| Destination | Target | Purpose |
| --- | --- | --- |
| VPC CIDR | Local | Local route |
| Subnet A CIDR | appliance-eni | Route traffic destined for subnet A to the middlebox |
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")
## Main route table
Subnet C uses the main route table. The main route table has the following route.
| Destination | Target | Purpose |
| --- | --- | --- |
| VPC CIDR | Local | Local route |
When you use the middlebox routing wizard, it associates the following tags with the route table:
+ The key is "Origin" and the value is "Middlebox wizard"
+ The key is "date\$1created" and the value is the creation time (for example, "2021-02-18T22:25:49.137Z")