topic AWS Privatelink for Hub and Spoke Topology in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-privatelink-for-hub-and-spoke-topology/m-p/1001183#M2316 <P>HI all,</P> <P>&nbsp;</P> <P>Need some assistance with someone who has familiarity with deploying VM-Series FW in AWS w/ AWS Privatelink....our organization currently has an existing environment that we are currently leveraging TGW's for Interconnectivity between Accounts w/ a side of VPC Peering, tends to be a bit of a rodeo. This overall seems costly compared to Privatelink when you factor in the Cost of Attachments plus Data Process GigaByte (TGW) vs PetaByte (AWS Privatelink).&nbsp; Our company has entertained using Palo's as the Central Network Hub for all Ingress/Egress Traffic in terms of Inter-Zone Connectivity (VPC-to-VPC, Internet-to-VPC, VPC-to-Internet).&nbsp;&nbsp;<BR /><BR />We also have to adhere to the PCI-DSS Data Plane Standard in terms of Secure-to-NonSecure Traffic Flow, an which it would be:<BR /><STRONG><U><BR />Green VPC Environment (Non-Secure)</U></STRONG></P> <UL> <LI>Non-Secure-to-Non-Secure (not inspected | intrazone | bi-directional)</LI> <LI>Non-Secure to Secure (Inspected | interzone | bi-directional)</LI> <LI>Non-Secure to Internet (Inspected | interzone | one-way}</LI> <LI>DMZ to Internet (Inspected | interzone | bi-directional)</LI> </UL> <P><STRONG><U>Red VPC Environment&nbsp; (Secure)</U></STRONG></P> <UL> <LI>Secure-to-Non-Secure&nbsp; (inspected | inter-zone | one-way communiction to Proxy)</LI> <LI>Secure to Secure (not inspected | intrazone | bi-directional)</LI> <LI>Secure to Internet (Inspected | interzone | bi-directional w/Proxy sits in DMZ)</LI> </UL> <P>&nbsp;</P> <P>Here's the Kicker both environments would still need to communicate with our existing (rodeo) environment until we can consolidate to our new environment.&nbsp; I have the following questions:</P> <P>&nbsp;</P> <UL> <LI class="lia-align-left">For DMZ Reachability into our environment via the Public Palo Interface under other Public IP's, can that be handle via creating Elastic IPs in AWS and then tie the routing back towards the Palo so it can target a NAT Policy?</LI> <LI>Since Red VPC Environment would need to transit via Green VPC Environment to leverage internet would both VPC's need to be attached to TGW in order to follow proper communication with Inspection being done at both FW's or can this be tackled with VPC Peering?</LI> <LI>Spoke w/ AWS on this and they lean towards more Proprietary options with IPS/IDS and preferred we used TGW for interconnectivity between Consumer VPC's (Secure and Non-Secure) and Service VPC's (Secure and Non-Secure), but I just see that as costly vs AWS PrivateLink.</LI> </UL> <P>Attaching ad-hoc Design</P> Wed, 08 Jan 2025 22:36:07 GMT Murph 2025-01-08T22:36:07Z AWS Privatelink for Hub and Spoke Topology https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-privatelink-for-hub-and-spoke-topology/m-p/1001183#M2316 <P>HI all,</P> <P>&nbsp;</P> <P>Need some assistance with someone who has familiarity with deploying VM-Series FW in AWS w/ AWS Privatelink....our organization currently has an existing environment that we are currently leveraging TGW's for Interconnectivity between Accounts w/ a side of VPC Peering, tends to be a bit of a rodeo. This overall seems costly compared to Privatelink when you factor in the Cost of Attachments plus Data Process GigaByte (TGW) vs PetaByte (AWS Privatelink).&nbsp; Our company has entertained using Palo's as the Central Network Hub for all Ingress/Egress Traffic in terms of Inter-Zone Connectivity (VPC-to-VPC, Internet-to-VPC, VPC-to-Internet).&nbsp;&nbsp;<BR /><BR />We also have to adhere to the PCI-DSS Data Plane Standard in terms of Secure-to-NonSecure Traffic Flow, an which it would be:<BR /><STRONG><U><BR />Green VPC Environment (Non-Secure)</U></STRONG></P> <UL> <LI>Non-Secure-to-Non-Secure (not inspected | intrazone | bi-directional)</LI> <LI>Non-Secure to Secure (Inspected | interzone | bi-directional)</LI> <LI>Non-Secure to Internet (Inspected | interzone | one-way}</LI> <LI>DMZ to Internet (Inspected | interzone | bi-directional)</LI> </UL> <P><STRONG><U>Red VPC Environment&nbsp; (Secure)</U></STRONG></P> <UL> <LI>Secure-to-Non-Secure&nbsp; (inspected | inter-zone | one-way communiction to Proxy)</LI> <LI>Secure to Secure (not inspected | intrazone | bi-directional)</LI> <LI>Secure to Internet (Inspected | interzone | bi-directional w/Proxy sits in DMZ)</LI> </UL> <P>&nbsp;</P> <P>Here's the Kicker both environments would still need to communicate with our existing (rodeo) environment until we can consolidate to our new environment.&nbsp; I have the following questions:</P> <P>&nbsp;</P> <UL> <LI class="lia-align-left">For DMZ Reachability into our environment via the Public Palo Interface under other Public IP's, can that be handle via creating Elastic IPs in AWS and then tie the routing back towards the Palo so it can target a NAT Policy?</LI> <LI>Since Red VPC Environment would need to transit via Green VPC Environment to leverage internet would both VPC's need to be attached to TGW in order to follow proper communication with Inspection being done at both FW's or can this be tackled with VPC Peering?</LI> <LI>Spoke w/ AWS on this and they lean towards more Proprietary options with IPS/IDS and preferred we used TGW for interconnectivity between Consumer VPC's (Secure and Non-Secure) and Service VPC's (Secure and Non-Secure), but I just see that as costly vs AWS PrivateLink.</LI> </UL> <P>Attaching ad-hoc Design</P> Wed, 08 Jan 2025 22:36:07 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-privatelink-for-hub-and-spoke-topology/m-p/1001183#M2316 Murph 2025-01-08T22:36:07Z