Troubleshooting by bypassing inspection

If you encounter network issues that disrupt inspection in your cloud environment, you can rule out Network Security as the source of these issues by briefly bypassing inspection. To bypass inspection, you can use either an API command or manually modify the route table that sends traffic to your Network Security endpoints for inspection.

Use the following API to bypass inspection for a specific AWS account and region. Learn more about this API in the API reference documentation.

Request sample:

To manually bypass inspection, change your routes back to their original status. Ensure that all routes that target the Network Security endpoints are removed. Make these modifications for each Availability Zone (AZ) that has inspection enabled.

The scenarios below provide three specific approaches to modifying route tables based on deployment type. These steps may vary based on your specific configuration.

If your deployment uses an AWS Application Load Balancer (ALB), examine and remove from all public and private subnet route tables any route that has a Network Security endpoint as the next hop, as shown below. Repeat for other AZs as needed.

To modify routes for environments with public facing assets and an internet gateway, remove routes in two tables as shown below:

To modify routes for environments with a centralized architecture that use Transit Gateways to send traffic between VPCs, remove the routes shown in the tables below to bypass traffic:

After removing the routes to Network Security endpoints, verify that traffic is flowing as expected through the workload VPC and no bytes are inspected.

If your analysis indicates that Network Security is contributing to network issues, contact support.