topic Need TGW (Hub-and-Spoke route table) or not? in VM-Series in the Public Cloud

Need TGW (Hub-and-Spoke route table) or not?

AsiaPac-Peter — Thu, 10 Feb 2022 03:58:30 GMT

In the AWS Reference Architecture Guide (version Apr 19, 2021),

it use AWS GWLB to connect to other spoke VPC.

Does it means VPC to VPC do not need AWS TGW? (Hub and spoke route table)

So all traffic can use GWLB (private link) connect to other Spoke VPC without go to TGW?

Re: Need TGW (Hub-and-Spoke route table) or not?

DanaHawkins — Wed, 02 Mar 2022 15:41:40 GMT

Yes and no. Remember GWLBs and TGWs serve specific purposes. If you just want VPC to VPC connectivity you can use VPC Peering. If you want to inspect traffic VPC to VPC using a pair of PAN FWs, you would use GWLB. If you want to perform dynamic routing with BGP over IPSec to on-prem with AZ redundancy, the TGW is still a good option.

With the GWLB architecture, the firewall takes over the routing that would normally be done by the TGW (Hub and Spoke RT). That is because each GWLBe is mapped to an interface and zone on the FW and native routing is used. It's also much faster. In the old architecture, the Palo's had to have an IPSEC tunnel to the TGW which was limited to 1.25Gbps.

Re: Need TGW (Hub-and-Spoke route table) or not?

davidcompos96 — Thu, 03 Mar 2022 19:00:25 GMT

GWLBs and TGWs serve specific purposes, the TGW is still a good option.