Centralizing Cloud Security with F5 and AWS Transit Gateway

Hi,

Thanks for sharing info about TGW. I am not AWS pro so I have some questions:

1. Would it be impossible to create setups described in article without TGW or it will be just much more complicated?
2. I have issue with understanding this sentence: "We then configured global route rules within our TGW to route all inbound traffic through this VPC, ensuring that this traffic would flow through the AWAF farm before making it on to its final destination, regardless of which AWS region/VPC the VM resided in." - looking at the diagram traffic from Internet has to pass via Security VPC anyway. TGW is located behind Security VPC so routes in TGW are rather assuring that traffic leaving Security VPC will be routed to web server instance in the correct VPC as well (but I am not sure here) that returning traffic from vweb server will pass AWAF on the way back to Internet - or I am completely wrong here?
3. What is purpose of AWS WAF with F5 rule set (I have some idea what F5 rule set is) - what is protected by AWS WAF in this case - seems that not backend web servers as those are protected by F5 AWAF.

Piotr