topic Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS? in VM-Series in the Public Cloud

Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

pmchenry — Thu, 17 Sep 2020 18:24:53 GMT

Hi,

We were wondering if sub-interfaces or VLAN interfaces are supported on the VM seriies in AWS.

We would like to separate customer traffic using these VLANs/ sub-interfaces as we do in our own DC, but it doesn't seem possible in AWS on the VM-300 as there are no options when I highlight the individual interface.

If sub-interfaces and VLANs are not supported, are there any work-arounds?

Thank you, Pat

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

BPry — Fri, 18 Sep 2020 04:41:08 GMT

@pmchenry,

You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated.

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

tostern — Fri, 18 Sep 2020 07:32:50 GMT

Hi @pmchenry

Yes, @BPry is correct we don't support sub-interfaces in Public Cloud for now. There is no workaround for this.

As already mentioned you should plan your design and to avoid this.

Regards,

Torsten

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

tostern — Tue, 29 Sep 2020 10:39:51 GMT

Hi @Welborn

i dont' understand the question. could you please explain what are you trying to do?

Regards,

Torsten

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

RDarcy — Tue, 23 Jan 2024 05:48:51 GMT

I am confused on the idea that Sub-Interfaces are not supported, I am following the Palo Alto AWS Design and Deployment documentation and very specifically they call for a Sub-Interface, here is the link for the Palo Alto published document and jump to page 79 section 3.8 titled "Add Private Sub-Interface". This blows my mind!
LINK: *Securing Application in AWS - Centralized Model Deployment Guide (paloaltonetworks.com)

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

mb_equate — Thu, 25 Jan 2024 06:41:46 GMT

@RDarcy you're replying to an old post when sub-interfaces were not supported. The design you're referring to leverages GWLB endpoint mapping, which allows you to associate traffic received by a GWLBe with a sub-interface and therefore security zone, however in the Central Design Model you can only separate Outbound from East/West as the chosen GWLBe is determined by the destination IP in the TGW attachment subnet's route table (good explanation at LIVEcommunity - Re: GWLB Sub-Interface - LIVEcommunity - 502945 (paloaltonetworks.com))

Note the sub-interfaces have no relation to VLANs, just the GWLB endpoint ID in the GENEVE header supplied by the GWLB to the firewall.

Re: Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

mb_equate — Thu, 25 Jan 2024 08:49:29 GMT

I would also recommend reading the relevant Design Guide (Securing Applications in AWS - Design Guide - Palo Alto Networks) as it explains the use of subinterfaces with AWS GWLB.