https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/deploy-palo-alto-vms-into-aws-asg-with-3-nics-trust-untrust-and/m-p/471276#M1490 <P>We’re looking for the best way to deploy Palo Alto firewalls with trust, untrust and management NICs in an autoscaling group in AWS that’s aligned to best practice.</P><P>&nbsp;</P><P>Autoscaling groups for EC2 instances are limited to one network and we see the latest version of the Palo Alto template in Git (ASG with warm pools) caters for this but creates a firewall deployment with two NICs (Data and management) on the same subnet <A title="https://github.com/paloaltonetworks/aws-gwlb-vmseries/tree/main/cft_simplifiedasg_with_warm_pools" href="https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools" target="_blank" rel="noopener noreferrer">https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools</A></P><P>&nbsp;</P><P>We would need a firewall with 3 NICS on 3 different subnets (management, trust and untrust).</P><P>&nbsp;</P><P>Do you know the best way to deploy Palo Alto VM firewalls with private, public and management NICs in an ASG in AWS please?</P><P>&nbsp;</P><P>Or is this not possible and are we limited to 2 NICs on the same subnet? (management and data)</P> Tue, 08 Mar 2022 09:50:23 GMT TonyCleveleys 2022-03-08T09:50:23Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/deploy-palo-alto-vms-into-aws-asg-with-3-nics-trust-untrust-and/m-p/471276#M1490 <P>We’re looking for the best way to deploy Palo Alto firewalls with trust, untrust and management NICs in an autoscaling group in AWS that’s aligned to best practice.</P><P>&nbsp;</P><P>Autoscaling groups for EC2 instances are limited to one network and we see the latest version of the Palo Alto template in Git (ASG with warm pools) caters for this but creates a firewall deployment with two NICs (Data and management) on the same subnet <A title="https://github.com/paloaltonetworks/aws-gwlb-vmseries/tree/main/cft_simplifiedasg_with_warm_pools" href="https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools" target="_blank" rel="noopener noreferrer">https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools</A></P><P>&nbsp;</P><P>We would need a firewall with 3 NICS on 3 different subnets (management, trust and untrust).</P><P>&nbsp;</P><P>Do you know the best way to deploy Palo Alto VM firewalls with private, public and management NICs in an ASG in AWS please?</P><P>&nbsp;</P><P>Or is this not possible and are we limited to 2 NICs on the same subnet? (management and data)</P> Tue, 08 Mar 2022 09:50:23 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/deploy-palo-alto-vms-into-aws-asg-with-3-nics-trust-untrust-and/m-p/471276#M1490 TonyCleveleys 2022-03-08T09:50:23Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/deploy-palo-alto-vms-into-aws-asg-with-3-nics-trust-untrust-and/m-p/479496#M1526 <P><A title="https://github.com/paloaltonetworks/aws-gwlb-vmseries/tree/main/cft_simplifiedasg_with_warm_pools" href="https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools" target="_blank" rel="noopener noreferrer nofollow">cft_simplifiedASG_with_warm_pools</A>&nbsp;assumes the 2 NIC what is coded is from the same subnet. Additionally AWS ASG + LaunchTemplate based ENI provisioning will support only the subnets that was configured in ASG resource. You will not be able to do the splitting via CloudFormation. But you could achieve what you want by keeping the eth0 in the LaunchTemplate and other 2 (eth1 and eth2) by updating the Lifecycle Hook Lambda code.</P> Sat, 09 Apr 2022 23:44:18 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/deploy-palo-alto-vms-into-aws-asg-with-3-nics-trust-untrust-and/m-p/479496#M1526 rajworks 2022-04-09T23:44:18Z