Attached is the diagram with GWLB and TGW. The VPN attachment to TGW is a S2S from On-prem. The interface of firewall in data subnet is private. As there is a site to site tunnel from on-prem to TGW we will have access from instances behind the on-prem firewall to AWS resources with private IPs.
1. Can we use the same interface in data subnet( which is used for geneve encapsulation for connecting to GWLB) to terminate a IPSEC tunnel.
2. Can we use the S2S from on-prem firewall "A" to TGW, to form the new S2S between another firewall "B" behind "A" and Firewall in inspection VPC. It is kind of IPSEC over IPSEC.
3. Do you recommend any other connectivity to have S2S from on-prem firewall "B" to fortigate in Inspection VPC with private IPs. Tunnel with Private IPs is due to application compliance standards.