topic Ideas for On Demand NAT Allocation (AWS-Elastic IPs) in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ideas-for-on-demand-nat-allocation-aws-elastic-ips/m-p/303888#M732 <P>Hi,</P><P>We are looking to start production in AWS and will be spinning up Hosts that need to have Ingress Traffic to Hosts on a TGW. I am looking to do the PAN AWS Sandwich (Good Idea?) for High Availability. But I need some ideas on how to quickly allocated and build NAT Rules as the operations team spins up new Hosts. I am thinking something might could be done with Dynamic Groups In PANs and Tags in AWS. So that when they spin up and tag a new server somehow the rules/NAt's get built in PANs..</P><P>&nbsp;</P><P>Any ideas or feedback on the Sandwich right way for hosting inbound traffic and how to automate or quickly build NAT's would be GREATLY appreciated!</P><P>Thanks!</P> Mon, 16 Dec 2019 14:27:51 GMT Justin_Payne 2019-12-16T14:27:51Z Ideas for On Demand NAT Allocation (AWS-Elastic IPs) https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ideas-for-on-demand-nat-allocation-aws-elastic-ips/m-p/303888#M732 <P>Hi,</P><P>We are looking to start production in AWS and will be spinning up Hosts that need to have Ingress Traffic to Hosts on a TGW. I am looking to do the PAN AWS Sandwich (Good Idea?) for High Availability. But I need some ideas on how to quickly allocated and build NAT Rules as the operations team spins up new Hosts. I am thinking something might could be done with Dynamic Groups In PANs and Tags in AWS. So that when they spin up and tag a new server somehow the rules/NAt's get built in PANs..</P><P>&nbsp;</P><P>Any ideas or feedback on the Sandwich right way for hosting inbound traffic and how to automate or quickly build NAT's would be GREATLY appreciated!</P><P>Thanks!</P> Mon, 16 Dec 2019 14:27:51 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ideas-for-on-demand-nat-allocation-aws-elastic-ips/m-p/303888#M732 Justin_Payne 2019-12-16T14:27:51Z Re: Ideas for On Demand NAT Allocation (AWS-Elastic IPs) https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ideas-for-on-demand-nat-allocation-aws-elastic-ips/m-p/303893#M733 <P>You can find the build-out of the LB sandwich with TGW in our reference architecture.</P><P><A href="https://www.paloaltonetworks.com/resources/reference-architectures/aws" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/aws</A></P><P>&nbsp;</P><P>As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.&nbsp; That will not solve your NAT Policy question though.&nbsp; Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.&nbsp; An example of this flow can be found in our autoscale 2.0/2.1 templates.&nbsp; You can extract the PY code to incorporate it into your DevOps process.&nbsp;&nbsp;</P><P>&nbsp;</P><P><A href="https://github.com/PaloAltoNetworks/aws-elb-autoscaling" target="_blank">https://github.com/PaloAltoNetworks/aws-elb-autoscaling</A></P> Mon, 16 Dec 2019 14:33:18 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/ideas-for-on-demand-nat-allocation-aws-elastic-ips/m-p/303893#M733 jmeurer 2019-12-16T14:33:18Z