Generated by Merlin Studio (https://app.merlin-studio.cloud). Licensed under the Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
This landing zone uses a hub-and-spoke network built on AWS Transit Gateway: every VPC attaches to the regional Transit Gateway (RAM-shared from the Network account), so inter-VPC and warm-standby DR traffic flows through one managed hub instead of a mesh of peering connections.
All internet-bound traffic is inspected at a single, audited boundary (the AWS Security Reference Architecture inspection VPC pattern):
spoke VPC ─► Transit Gateway ─► inspection VPC (inspection)
│
├─ AWS Network Firewall (inspection-nfw)
├─ NAT gateway (per AZ)
└─ Internet gateway ─► internet
- Spokes have no local internet. Each spoke's default route (
0.0.0.0/0) points at the Transit Gateway; they have no NAT/IGW of their own, so nothing can bypass inspection. - Appliance mode on the inspection VPC's TGW attachment keeps each flow pinned to one Availability Zone's firewall endpoint, so the stateful firewall sees both directions of every connection.
- Per-AZ data plane: TGW subnet ─► firewall endpoint ─► NAT ─► IGW, with return traffic for spoke CIDRs routed back through the same AZ's firewall endpoint.
- main-tgw-inspection — inspection domain
- main-tgw-spokes — spokes domain
- main-tgw-cde — cde domain
Spokes associate to their domain and propagate their CIDRs into the inspection
domain; a static 0.0.0.0/0 in each spoke domain points at the inspection VPC
attachment.
Regulated workloads: the CDE (and PHI) spokes are isolated in their own route domain — they never share a routing table with non-CDE workloads (PCI-DSS Req 1.2 / 1.3 segmentation), yet their egress is still inspected.
- Policy:
inspection-nfw-policy(rule order:STRICT_ORDER). - Default stateful actions:
aws:drop_established, aws:alert_established. - AWS-managed stateful rule groups:
AWSManagedRulesBotNetCommandAndControlDomainsStrictOrderAWSManagedRulesMalwareDomainsStrictOrderAWSManagedRulesAbusedLegitMalwareDomainsStrictOrder
- Flow + alert logging to CloudWatch in the inspection account.
The OpenTofu, CDK, and tfvars formats attach the AWS-managed rule groups by ARN. The Landing Zone Accelerator authors equivalent stateful rules in
firewall-rules/rules.txt(LZA does not reference managed-group ARNs the same way) — extend it with your organization's egress policy.
Centralized inspection is the default for the advanced profile and is applied whenever a boundary-control framework (PCI-DSS, FedRAMP, NIST 800-53, EUCS) is in scope — those frameworks require a controlled, inspected egress boundary (PCI-DSS Req 1 network security controls, NIST/FedRAMP SC-7). It is a deliberate tradeoff: a uniform audited boundary in exchange for the NAT + firewall-endpoint cost and an extra network hop.
Generated from the topology source of truth
(generators/aws_network_topology.py); every IaC format in this bundle renders
the same topology.