topic Re: Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement in VM-Series in the Public Cloud

Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

KhurshidAnjum — Thu, 06 May 2021 16:22:35 GMT

Loopback is configured on router in at a HUB site and we want to ping the IP of an instance in VPC-1.

We are advertising the loopback IP (/32) from HUB site as shown in the above diagram. Loopback will be advertised from Hub site to TG (Transit gateway in AWS) via BGP , then this will be advertised from TG to Palo Alto firewall. Again from Palo Alto firewall this loopback should be advertised back to TG and from TG to destination VPC 1.

Can we advertise the loopback IP from firewall back to TG vis BGP route advertisement. If yes , then how.

Re: Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

SebRupik — Fri, 07 May 2021 10:47:40 GMT

Hi there,

The TGW which the DX links are attached to will have been configured with an ASN. This ASN will be part of the AS_PATH attached to the /32 prefix which it is received by the Palo Altos. As such the TGW will not accept /32 being advertised from the Palo Alto as a loop avoidance measure. To mitigate this issue you need to have the TGW ASN only appear once in the routing path.

A possible solution would be to create a VPN tunnel from the on-premise hub site direct to the virtual Palo Alto, then allow the virtual Palo Alto to peer with the TGW via the VPN attachments. The TGW ASN would then only appear once in the AS_PATH.

cheers,

Seb.

Re: Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

KhurshidAnjum — Fri, 07 May 2021 11:20:12 GMT

Hi Seb,

Thanks for your suggestion.

Actually we need to land the /32 IPs in TG first as we have to associate this subnet with a routing table in TG.

Hence a direct Tunnel from the Hub site to Palo Alto is not a favourable solution for me.

Re: Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

SebRupik — Fri, 07 May 2021 11:33:18 GMT

Couldn't you create another TGW 'behind' the Palo Altos and attach VPC1 and VPC2 to it. This way traffic would have to flow through the Palos which is what you are trying to achieve.

Currently your topology looks as if you have placed all of your EC2 compute in the DMZ in front of the firewall perimeter, except maybe worse as traffic to those hosts is not secured by the firewall, so they are more like bastion hosts.

Granted this is all a private network so the above statement is probably not that alarming(!) but it makes more sense to place the compute logically behind the firewalls.

cheers,

Seb.