topic Re: Paloalto VM Series VPC Peering support on AWS in VM-Series in the Public Cloud

Paloalto VM Series VPC Peering support on AWS

nattapong_thi — Thu, 10 Nov 2022 06:37:09 GMT

Tested traffic within a same VPC it's working fine, use ENI of paloalto's LAN interface as a target

But I have no idea, when we have 2 VPC (VPC-A and VPC-B) and we installed paloalto on VPC-A

How to direct traffic from VPC-B to paloalto and then access to the internet via paloalto?

Re: Paloalto VM Series VPC Peering support on AWS

psampatahire — Mon, 14 Nov 2022 17:04:31 GMT

Hi @nattapong_thi,

Greetings from Palo Alto Networks!

I saw your post and have a few recommendations for you. You may want to look at it initially, does this help?

You could use a Transit Gateway for inter-VPC communication, and then a NAT Gateway in VPC-A for outbound connections to the Internet. Create the below routes for Outbound:

Forward all traffic from VPC-B to TGW
Forward all traffic from TGW to FW in VPC-A
Forward all traffic from FW to NATGW
Forward all traffic from NATGW to IGW

To access the internet, You will need IGW and NAT GW also part of VPC B. Please confirm how the 2 VPCs are connected. are they connected with TGW?

Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions
*Don’t forget to accept the solution provided!*

Re: Paloalto VM Series VPC Peering support on AWS

nattapong_thi — Thu, 17 Nov 2022 10:59:05 GMT

Hi @psampatahire

After I used transit gateway, it's seemed client inside VPC-B still unable to access the internet (but can communicate with ec2 inside VPC-A)

VPC-B ec2 --> Transit GW --> Paloalto's LAN eni --> NAT GW --> IGW

After I test using network reachability, It's look like traffic could not hit IGW

Route table rtb does not have an applicable route to igw
Internet gateway igw cannot accept traffic with spoofed addresses from the VPC.

Re: Paloalto VM Series VPC Peering support on AWS

psampatahire — Fri, 18 Nov 2022 16:47:41 GMT

Hi @nattapong_thi,

can you check the transit gw route tables to see if traffic from VPC-B is able to reach the security vpc (where the firewall is deployed)? The routes to VPC-A and to the security VPC should be different.

Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions

Re: Paloalto VM Series VPC Peering support on AWS

psampatahire — Tue, 22 Nov 2022 00:14:51 GMT

Hello @nattapong_thi,

Greeting!

Please let us know whether you are still facing the problem.

Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions

Re: Paloalto VM Series VPC Peering support on AWS

nattapong_thi — Tue, 29 Nov 2022 07:48:36 GMT

Please help to guide me

Forward all traffic from TGW to FW in VPC-A

How to configure this task, from transit gateway routing, it does not have an option to forward to Firewall ENI

Re: Paloalto VM Series VPC Peering support on AWS

MervynChan — Tue, 29 Nov 2022 08:21:18 GMT

Hi @nattapong_thi

You can configure a route table which will be used by the TGW subnet(A TGW ENI is attached to this subnet) in VPC-A.

Then in that route table, create a route to forward all traffic to the Firewall ENI.

Re: Paloalto VM Series VPC Peering support on AWS

nattapong_thi — Tue, 29 Nov 2022 10:53:53 GMT

After configuring a route on subnet of transit gateway, traffic can reach the firewall, log generated with source NAT ip

but it's still unable to connect internet (ping 8.8.8.8)

*** If I change 0.0.0.0 on transit gateway routing table from firewall's eni to NAT gateway directly, it's working properly

Re: Paloalto VM Series VPC Peering support on AWS

GabrielMontiel — Fri, 10 Feb 2023 20:16:34 GMT

Do you have appliance mode enabled on the attachment thats connected to the firewalls VPC?

Also based on your previous reply, you would need to do a NAT destined to internet addresses so the replies passes trough the palo alto, either a NAT or you could create a route(Private addresses or VPC B) from the NAT gateway to reply back to the palo alto.