In private clouds today, numerous vendors provide specialized services, such as Deep Packet Inspection, Firewall, etc. In private datacenters, the administrators typically deploy such specialized services in the path of traffic that needs the service. With the proliferation of public cloud, these vendors also offer virtual appliances and service virtual machines (service VMs) that can be licensed and deployed in public cloud environments. For example, Palo Alto Networks makes its firewall available as a virtual appliance in the Amazon Web Services (AWS) marketplace.
Such appliances are mostly deployed for traffic that enters and leaves the virtual public cloud (VPC) in the datacenter, and are thus deployed facing the Internet Gateway. However, the public cloud tenants also want to route the traffic between subsets of endpoints within the virtual datacenter through the service appliance of third party vendors. Currently, this is not possible as cloud providers do not allow the routing of traffic between endpoints in a VPC to be over-ridden. For instance, in AWS VPC, the provider routing table has a single entry for the VPC address block and this entry cannot be modified. More specific routes that overlap with the VPC address block cannot be added.