The following routing configuration was used in the sample deployment
In AWS the following components are required to programmatically create the routing infrastructure:
Route - The route defines the destination CIDR block. The destination gateway is either defined inline as a property or via connection to a gateway
Route Table - The route table is associated with the VPC
Route Table Association - The association component connects the route, route table and the appropriate subnets
NAT Gateway - NAT Gateway allows resources on the private subnet to access the Internet NAT and Internet gateway
EIP - Elastic IP associated with the NAT Gateway
Routes and Route Table
Besides the local routes for the VPC CIDR Blocks, the following routes are defined.
Private Subnet - 0.0.0.0/0 to NAT Gateway
Protected Subnet - 0.0.0.0/0 to VPCE-xxx (this is the VPC Endpoint for the firewall)
Public Subnet - 0.0.0.0 to Internet Gateway
IGW Route table - This is a special route table that's unique where the route table is defined by associating the IGW under Edge Associations (instead of a subnet). For forwarding all ingress traffic to the protected subnet, we add a route for 172.21.30.0/23 (the protected subnet CIDR block) and add the next hop as VPCE-xxx (this is the VPC Endpoint for the firewall)
All egress traffic from the private subnet is forwarded to the NAT gateway and eventually to the firewall.
All ingress traffic from the Internet that is passed through the IGW, is forwarded to the firewall for inspection. Once the firewall inspects the traffic, it forwards the traffic to the load balancer in the protected subnet in the sample deployment.
The following diagram depicts the appropriate connections. QMCLOUD offers "Auto Connections" feature that connects most commonly used connections on the canvas automatically thus reducing the effort required by the end users.
Defining connections (Dependencies) for VPC, Subnet and Routing components
You will need to either use auto connection or manually connect each of the remaining subnets and the corresponding routing components. Note that the public subnet connects to the Internet Gateway as shown in the summary section diagram.