# Inline traffic inspection solution options
<a name="solution-options"></a>

The following three sections describe data flows for traffic inspection using third-party firewall appliances in an AWS environment with Gateway Load Balancer and Gateway Load Balancer endpoints:
+ [VPC-to-VPC traffic inspection](vpc-to-vpc-traffic-inspection.md)
+ [VPC-to-on-premises traffic inspection](vpc-on-premises-traffic-inspection.md)
+ [Outbound traffic inspection through a NAT gateway and internet gateway](outbound-traffic-inspection-nat-gateway.md)

The following resources are used in the three options for this solution:
+ Dedicated spoke VPCs for hosting workloads or applications.
+ One VPC for hosting firewall appliances.
+ A dedicated subnet for the Transit Gateway elastic network interface for each Availability Zone in the spoke and appliance VPCs.
+ Appliance mode turned on for the appliance VPC attachment.
+ Dedicated subnets for Gateway Load Balancer endpoints in each Availability Zone.
+ A transit gateway to interconnect the VPCs, in addition to providing on-premises connectivity through the Transit Gateway virtual interface and Direct Connect gateway or with a VPN attachment for AWS Site-to-Site VPN.