https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236759#M438 <P>AWS - Palo ALto IPSEC or AWS native IPSEC?</P><P>Which is better any why?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 23 Oct 2018 20:43:06 GMT junior_r 2018-10-23T20:43:06Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236759#M438 <P>AWS - Palo ALto IPSEC or AWS native IPSEC?</P><P>Which is better any why?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 23 Oct 2018 20:43:06 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236759#M438 junior_r 2018-10-23T20:43:06Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236900#M440 <P>The all depends on what type of design and throughput you are looking for?</P> <P>For example if you use AWS Native IPsec then you will need to setup a VGW which has a limit of 1.25 Gbps throughput</P> <P>if you setup VM-Series to Device your limit is only the bandwidth and the performance capabilities of the devices you are using for VPN. That will probably be the main thing to consider but I am sure there is more.&nbsp;</P> Wed, 24 Oct 2018 18:51:31 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236900#M440 jperry1 2018-10-24T18:51:31Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236904#M441 <P>The AWS VGW limit is 1.25Gbps not Mbps</P> Wed, 24 Oct 2018 18:51:53 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236904#M441 jperry1 2018-10-24T18:51:53Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236932#M442 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/2533">@jperry1</a><SPAN class="">&nbsp;</SPAN>wouldn't&nbsp;<SPAN>VM-Series to Device&nbsp;be slower...even if I take the VM with higest resources?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Wed, 24 Oct 2018 23:38:43 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236932#M442 junior_r 2018-10-24T23:38:43Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236937#M443 <P>It depends on the size VM-Series you use but certain VM-series devices will give you over 2GB throughput on IPSec. At that point you are at the mercy of your Internet speed.&nbsp;</P> Thu, 25 Oct 2018 00:51:58 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/236937#M443 jperry1 2018-10-25T00:51:58Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/238062#M444 <P>It would be best to do the VPN to AWS and let the VM firewall deal with inspection. After all, why bog down the VM firewall with the extra overhead of doing encryption/decryption? AWS VPN is also pretty easy to set up, even with BGP for dynamic routing for failover.</P> Wed, 31 Oct 2018 19:29:45 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/238062#M444 mrzepa2 2018-10-31T19:29:45Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/238069#M445 <P>Without knowing more about your use case, the decision around where to decrypt will come down to routing.&nbsp; In general, if you terminate on the VGW, there are very limited options to have the traffic route through the Firewalls due to routing limitations within the VPC.&nbsp; AWS typical recommends "Transit VPC" designs where remote traffic and/or spoke VPC traffic can route through multiple Firewalls in a fault tolerant fashion.&nbsp; You can find both manual and automated Transit VPC Options here.&nbsp;&nbsp;</P><P><A href="https://github.com/PaloAltoNetworks/aws-transit-vpc" target="_blank">https://github.com/PaloAltoNetworks/aws-transit-vpc</A></P><P>&nbsp;</P> Wed, 31 Oct 2018 20:16:24 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-palo-alto-ipsec-or-aws-native-ipsec/m-p/238069#M445 jmeurer 2018-10-31T20:16:24Z