https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575924#M2110 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/127749">@mb_equate</a>&nbsp;</P> <P>Yes, that's what I was thinking as well and it makes sense.</P> <P>&nbsp;</P> <P>So the reason I asked this question was a colleague also tested this out and in their case, the FW sent the return flow out its Public interface - causing asymmetric routing.&nbsp;I was not able to reproduce the issue though, so I wanted to check if it was a configurable option.</P> <P>&nbsp;</P> <P>It is probably a misconfiguration/bug in their FW.&nbsp;</P> Mon, 05 Feb 2024 00:42:39 GMT Yelzamani 2024-02-05T00:42:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575909#M2108 <P>Hi,&nbsp;</P> <P>I am looking for some clarity on the Overlay routing feature on VM Series FW.&nbsp;</P> <P>I am using the&nbsp;Combined (Centralized Egress + Distributed Ingress) deployment model described in this <A title="Securing Application in AWS - Centralized Model Deployment Guide" href="https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/aws-transit-gateway-deployment-guide" target="_self">Securing Application in AWS - Centralized Model Deployment Guide</A>.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-02-04 at 1.31.23 PM.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57339iB24716C20FE6D7EE/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Screenshot 2024-02-04 at 1.31.23 PM.png" alt="Screenshot 2024-02-04 at 1.31.23 PM.png" /></span></P> <P>In this pattern, <A href="https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer/integrate-the-vm-series-with-an-aws-gateway-load-balancer/enable-overlay-routing-for-the-vm-series-on-aws" target="_self">overlay routing</A> is enabled so that the FW can handle both inspection and NAT for outbound traffic flows. It&nbsp;<SPAN>allows packets to leave the VM-Series firewall through a different interface than that which they entered through.</SPAN></P> <P>&nbsp;</P> <P>I have built this out in my lab and it works well but I want to understand why it does.&nbsp;</P> <P><STRONG>Egress Traffic&nbsp;</STRONG></P> <P>I understand for outbound flow (Traffic initiated from the VPC to the internet) - The traffic from the EC2 instance leaves the VPC via the TGW and lands on the TGW attachment in the Security VPC, which then sends it to the GWLB endpoint for inspection on the FW. With Overlay routing, the FW is able to check the destination address (internet bound) and directly route it out its public interface.&nbsp;</P> <P>EC2 --&gt; TGW (App VPC) --&gt; TGW (Security VPC) --&gt; GWLBe --&gt; (inside)VM Series FW(outside)---&gt; IGW&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Ingress Traffic</STRONG></P> <P>Here is where it gets confusing. For inbound traffic (Traffic initiated from internet to VPC)&nbsp;</P> <P><EM>Inbound flow</EM></P> <P>The traffic first hits the GWLB endpoint in the app VPC and gets send to the Inspection VPC for inspection, FW inspects (destination is app VPC) and sends the traffic back out the inside interface. Traffic gets send back through the GWLB endpoint and on to the ALB and to the EC2 instance&nbsp;</P> <P>Client --&gt; IGW --&gt; GWLBe(App VPC) --&gt; GWLB (Inspection VPC) ---&gt; (inside)VM Series FW (inside) --&gt; GWLB (Inspection) ---&gt; GWLBe (App VPC) ---&gt; ALB (SNAT) ---&gt; EC2&nbsp;</P> <P>&nbsp;</P> <P><EM>Return flow</EM>&nbsp;</P> <P>Here the EC2 responds directly to the ALB private IP, ALB forwards to the internet via the GWLB endpoint, which then gets sent to the&nbsp;Inspection VPC for inspection, FW inspects and sends&nbsp;the traffic back out the inside interface to the GWLB and it makes it way back to GWLB endpoint in the App VOC and to the client on the internet.&nbsp;&nbsp;</P> <P>EC2 --&gt; ALB (APP VPC) ---&gt; GWLBe --&gt; GWLB --&gt; (Inside) VM series FW (inside) --&gt; GWLB/GWLBe --&gt; IGW ----&gt; Client</P> <P>&nbsp;</P> <P>With overlay routing, <STRONG>I expected the FW to see that the destination address on the return flow is internet bound and should have sent it out its outside/public interface (like it did on the outbound flow)</STRONG> - which would of course break the flow and cause asymmetric routing.&nbsp;</P> <P>&nbsp;</P> <P>How does the FW know to send the return flow back out its inside interface?&nbsp;</P> <P>I did not have to configure any PBRs to influence the routing.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 04 Feb 2024 21:17:11 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575909#M2108 Yelzamani 2024-02-04T21:17:11Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575921#M2109 <P>I agree it does sound counterintuitive. I _think_ this is due to the firewall having already received the traffic <EM>from</EM> the GWLB on the inbound leg, matching the return flow to the same session (which in this case includes the TLV headers associated with the GENEVE encapsulation) and symmetrically returning the traffic to the GWLB. Reading the return traffic flow for the combined option in the&nbsp;<A href="https://www.paloaltonetworks.com/resources/guides/aws-transit-gateway-deployment-guide" target="_self">deployment guide</A>:</P> <P>&nbsp;</P> <P><EM>"The firewall receives the traffic from the GWLB on its private dataplane interface. The firewall&nbsp;receives the traffic and associates the return traffic to an active session on the firewall.&nbsp;The firewall uses the session information, including the TLVs associated with the Geneve&nbsp;encapsulation to return the traffic to the GWLB"</EM></P> <P>&nbsp;</P> <P>I find the documentation doesn't go into enough technical detail for those that want to understand how stuff works not just build it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 05 Feb 2024 00:07:47 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575921#M2109 mb_equate 2024-02-05T00:07:47Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575924#M2110 <P>Thank you&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/127749">@mb_equate</a>&nbsp;</P> <P>Yes, that's what I was thinking as well and it makes sense.</P> <P>&nbsp;</P> <P>So the reason I asked this question was a colleague also tested this out and in their case, the FW sent the return flow out its Public interface - causing asymmetric routing.&nbsp;I was not able to reproduce the issue though, so I wanted to check if it was a configurable option.</P> <P>&nbsp;</P> <P>It is probably a misconfiguration/bug in their FW.&nbsp;</P> Mon, 05 Feb 2024 00:42:39 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/clarity-on-overlay-routing-with-gwlb-for-combined-centralized/m-p/575924#M2110 Yelzamani 2024-02-05T00:42:39Z