https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192127#M201 <P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/38823">@niyengar</a> wrote:<BR /><P>Hello,</P><P>&nbsp; &nbsp;In AWS the firewall needs to have an interface in the&nbsp;subnet for&nbsp;it&nbsp;to be able to see the traffic.&nbsp;</P><P>&nbsp;</P><P>One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.</P><P>&nbsp;</P><P>We are working on a &nbsp;fully automated solution and it should be relased in the next few weeks.</P><P>@You can contact your SE and have them setup a meeting with folks here &nbsp;@ paloalto networks and we'll be happy to give you an overview.</P><P>&nbsp;</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Great... sounds intriguing.&nbsp; I submitted a request online but haven't heard.</P><P>&nbsp;</P><P>Is there an easier way to identify the SE that would handle our account?</P> Mon, 18 Dec 2017 19:59:17 GMT spetty01 2017-12-18T19:59:17Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192110#M199 <P>Very new to VM-300 and PA, deploying it in AWS with 2 availability zones.</P><P>&nbsp;</P><P>We'd like to have 3 private subnets in each AZ - DMZ, application, and data, as well as a public subnet for the EIP interface.&nbsp; Ideally all traffic between subnets would flow through the VM-300, but this doesn't seem possible to us without multiple NICs, one per subnet.&nbsp; Is that accurate?</P><P>&nbsp;</P><P>I'm trying to understand what best practices are with this architecture.&nbsp; Should we simply call public untrust and everything else trusted, and then just have one NIC in each, or is there a way that we can have all traffic between the subnets, or at least between the DMZ and others transit the VM-300?</P><P>&nbsp;</P><P>The limitation of course on NICs is cost - the instances with 8 network interfaces are prohibitively expensive for a firewall.</P><P>&nbsp;</P><P>Any suggestions would be appreciated.</P> Mon, 18 Dec 2017 17:33:33 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192110#M199 spetty01 2017-12-18T17:33:33Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192118#M200 <P>Hello,</P><P>&nbsp; &nbsp;In AWS the firewall needs to have an interface in the&nbsp;subnet for&nbsp;it&nbsp;to be able to see the traffic.&nbsp;</P><P>&nbsp;</P><P>One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.</P><P>&nbsp;</P><P>We are working on a &nbsp;fully automated solution and it should be relased in the next few weeks.</P><P>You can contact your SE and have them setup a meeting with folks here &nbsp;@ paloalto networks and we'll be happy to give you an overview.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 18 Dec 2017 19:02:45 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192118#M200 niyengar 2017-12-18T19:02:45Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192127#M201 <P>&nbsp;</P><BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/38823">@niyengar</a> wrote:<BR /><P>Hello,</P><P>&nbsp; &nbsp;In AWS the firewall needs to have an interface in the&nbsp;subnet for&nbsp;it&nbsp;to be able to see the traffic.&nbsp;</P><P>&nbsp;</P><P>One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.</P><P>&nbsp;</P><P>We are working on a &nbsp;fully automated solution and it should be relased in the next few weeks.</P><P>@You can contact your SE and have them setup a meeting with folks here &nbsp;@ paloalto networks and we'll be happy to give you an overview.</P><P>&nbsp;</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Great... sounds intriguing.&nbsp; I submitted a request online but haven't heard.</P><P>&nbsp;</P><P>Is there an easier way to identify the SE that would handle our account?</P> Mon, 18 Dec 2017 19:59:17 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192127#M201 spetty01 2017-12-18T19:59:17Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192147#M204 <P>What company do you represent?&nbsp;</P><P>If you don't want to advertise here, you can&nbsp;unicast me at niyengar[at]paloaltonetworks[dot]com</P> Mon, 18 Dec 2017 21:47:03 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-multiple-subnets-across-multiple-azs-multiple-nics/m-p/192147#M204 niyengar 2017-12-18T21:47:03Z