i need to stand up a DMZ at AWS for web servers that will be accessed from the Internet. I will also need allow traffic to/from the internal corporate network and to/from the DMZ.

The problem I hit was that AWS will not allow you to set up routes within the VPC. Everything within the VPC can hit everything else. If the VPC is and the DMZ is, cannot add a route for to a route table within that VPC.

I went though the Checkpoint article on how to secure a DMZ at http://downloads.checkpoint.com/dc/d...d.htm?ID=45816. It recommends setting up NAT rules, that will force the traffic to go though the Checkpoint. I can see how that would work, but long term it will be a bear to maintain.

The alternative solution I came up with was to build a separate DMZ VPC, and route all the traffic though Checkpoint. The only problem I can see with that is that Iíll need to force the VPC peering connection to send the traffic back to the Checkpoint instead of straight to DMZ host.

Any thoughts on my alternative solution or any ideas for a better one?