The VPC incoming network traffic would have to be forwarded to on-premises appliance or firewall in order to inspect the traffic and routed back to VPC which is not an ideal solution, it adds latency and complexity.

A route table is associated with internet gateway (igw) or virtual gateway (vgw) to control the path of inbound network traffic by adding route to virtual security appliance (IDS/IPS) bound for application workloads.

A gateway route table supports routes where the target is local (the default local route) or an elastic network interface (network interface) in your VPC that's attached to your middlebox appliance. When the target is a network interface, the following destinations are allowed:

• The entire IPv4 or IPv6 CIDR block of your VPC. In this case, you replace the target of the default local route.
• The entire IPv4 or IPv6 CIDR block of a subnet in your VPC. This is a more specific route than the default local route.

VPC Ingress routing now allows to route incoming traffic to/from Internet Gateway (IGW) and Virtual Gateway (VGW) to any Elastic Network Interface of EC2 instance. Now, before the incoming VPC network traffic reaches to the workloads, it is sent to the appliance (usually security appliance or firewalls) where suspicious traffic is blocked based on the security policy. This also allows to have multiple security policy for different workloads and have consistent security policy across on-premise and cloud for hybrid solutions.

In figure 1, inbound traffic for workload is sent directly to workload subnet from internet gateway. There wasn’t an easy solution to manipulate the route path, although traffic mirroring was possible it’s a passive monitoring. With the introduction of Ingress routing, it provided opportunity for inline network traffic inspection of network traffic before reaching workloads, providing more granular control of how traffic path and consistent security across on-prem and cloud.

As figure 2, a route is added in the gateway route table to forward any incoming network traffic for workload to appliance where the inspection is done before forwarding it to actual workloads. There can also be multiple appliance for multiple workloads.

From figure 3 & 4, we can see the benefits of VPC ingress routing. Workloads specific security policy can be applied, or centralized security policy can be applied giving more granular control over security and route path engineering.