Configuring Centralized Access to the Internet

1.5 hours
  • 5 Learning Objectives

About this Hands-on Lab

In this lab, you will be creating a centralized egress internet environment. You will be given access to two VPCs and will be deploying a transit gateway, network firewall, and NAT gateway before finishing the configuration with route table modifications. Finally, you will be testing web site access from an EC2 instance in one of the VPCs.

To complete this lab, you should have an understanding of all of the technologies mentioned above, as well as knowledge of the AWS Management Console.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Transit Gateway and Attach to the New Transit Gateway Subnets in Each VPC

In this objective, you will be creating a transit gateway. Once this has been created, you will then create transit gateway attachments and configure these for the newly created subnets in the WorkloadVPC and EgressVPC.

Use the following information for this objective:

Creating a transit gateway

Name = Transit-Gateway-01
Description = WorkloadVPC-EgressVPC

WorkloadVPC transit gateway attachment

Name = WorkloadVPC-TGW-Att
Transit gateway ID = Transit-Gateway01
Attachment type = VPC
VPC ID = WorkloadVPC
Subnet ID = WorkloadVPCTransitUsEast1a

EgressVPC transit gateway attachment

Name = EgressVPC-TGW-Att
Transit gateway ID = Transit-Gateway01
Attachment type = VPC
VPC ID = EgressVPC
Subnet ID = EgressVPCTransitUsEast1a
Create Network Firewall Rule Group, Firewall Policy, and Network Firewall

In this objective, we will be creating the AWS Network Firewall.

Network Firewall rule groups

Rule group type = Stateful rule group
Name = WebsiteWhiteList
Capacity = 10
Stateful rule group options = Domain list
Rule order = Default
Domain name source =
Source IPs type = and
Protocols = HTTP and HTTPS
Action = Allow

Firewall policies

Name = TestFirewall-Policy
Stream exception policy = Drop

Stateless default actions

Choose how to tream fragmented packets = Use the same actions for all packets
Action = Forward to stateful rule groups

Stateful rule evaluation order and default actions

Rule order = Default

Stateful rule group

Add = WebsiteWhiteList


Name = TestNWFW
VPC = EgressVPC

Firewall Subnets

Availability Zone - us-east-1a
Subnet = EgressVPCFirewallUsEast1a
IP address type = IPv4

Associated firewall policy

Associate an existing firewall policy = Choose policy you created above

Create NAT Gateway

In this objective, we will be deploying a NAT gateway called EgressVPCNGW in the public subnet of our VPC.

Use the following settings for this objective:

Name = EgressVPCNGW
Subnet = EgressVPCNATUsEast1a
Connectivity type = Public
Elastic IP allocation ID = Allocate Elastic IP
Configure Route Tables

In this objective, we will configure the route tables for traffic to flow from the EC2 instance through the environment to the target website. For the transit gateway, make sure you add this as a static route.

WorkloadVPCPrivateRouteTable --> Transit Gateway

Transit Gateway Route Table --> egressVPC

EgressVPCTransitRouteTable --> Gateway Load Balancer - VPC endpoint

EgressVPCFirewallRouteTable --> NAT Gateway --> Transit Gateway

EgressVPCNATRouteTable --> Internet Gateway --> Gateway Load Balancer - VPC endpoint
Test Website Connectivity from EC2Instance1

Using EC2Instance1, test connectivity to

Connect to EC2Instance1 using the connection option in the EC2 console, and select the Session Manager tab. Once connected, issue the following commands to test:

Working Website Test


Blocked Website Test


Additional Resources

Windyfront Air Conditioning has been looking for ways to reduce complexity in their AWS environment. They decided to implement a centralized approach for egress traffic to the internet.

In this lab, you will be responsible for configuring a proof of concept deployment of the environment so testing by the Windyfront internal teams can take place.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?