topic Re: VPN to AWS with BGP in General Topics

VPN to AWS with BGP

mnashe — Tue, 19 Jul 2022 16:12:14 GMT

Hello,

I have 3 locations that I need to create VPNs to AWS for. Each location is dual ISP using PBF. Since AWS uses 2 tunnels each VPN connection, seems there will be 4 total tunnels per location (2 per ISP). My initial thought was to use static routing but I'd like to avoid any asymmetric routing from AWS. In these locations, we are using static routing from the palo alto firewalls to each site's core switch. I have some BGP knowledge but never needed to configure on PAN before.

Here's a little about my 2 of my locations setup

Site A Core SW has the following subnets 10.10.10.0/24, 10.10.11.0/24, 10.10.13.0/24 - 10.10.20.0/24, default route with next-hop of FW.'s trust interface. In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP and a default route 0.0.0.0/0 next hop of ISP2's DG

Site B Core SW has the following subnets 10.10.50.0/24, 10.10.55.0/24, 10.10.60.0/24 - 10.10.70.0/24, default route with next-hop of FW.'s trust interface. In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP and a default route 0.0.0.0/0 next hop of ISP2's DG

If I were to build the tunnels to AWS with BGP, my first questions are

can I use the default virtual router or do/should I create a new virtual router and add the tunnel interfaces to that VR?
How do I advertise each individuals site's network to AWS using BGP? Since 2 sites have a static route on the FW pointing to the same subnet range 10.10.0.0/16, I can redistribute that static route to AWS, since AWS will not know which tunnel to use for specific subnet. I also don't want to advertise the default route to AWS. On the individual firewalls do I need to remove the 10.10.0.0/16 and add static routes for each of the subnets or is there a better way to do this?

Re: VPN to AWS with BGP

mnashe — Thu, 21 Jul 2022 01:22:18 GMT

anyone have advice on this?

Re: VPN to AWS with BGP

LCMember4417 — Fri, 22 Jul 2022 04:29:40 GMT

Funny I just completed making this connection to our AWS instance using BGP. As of now created a zone and assigned to AWS tunnel interface in the default routing instance. Two thing I have done with BGP configuration.

Create a import rule so that I only import AWS subnets that I want into the table. This can be done by going into Virtual router>VR where tunnel inet is assigned>BGP>import. Here create new rule and under match>Address prefix add the subnet you would like to import from AWS and under Peer select the peer this routes would come from. Rest of the setting would be default.
Create a redist rules under BGP>Redist Rules and specific the subnets or subnet you will like to advertise into AWS. You dont have to modify any metric or preference if you dont need them.

I also enabled Asymetric routing on this zone since AWS recommends having two tunnels using Zone protection profile created specific for this zone and disabled "Reject non-syn tcp" and applied to the zone. It has been working so for. If you have additional question please let me know.

Re: VPN to AWS with BGP

mnashe — Fri, 22 Jul 2022 14:51:13 GMT

hi @LCMember4417

Thanks for getting back to me. You used your existing virtual router for this or created a new VR.

For the redistribution profile, wouldn't the specific routes need to be in the routing table to redistribute them? Meaning, under source type, would I have to select "static" and then in destination, add the specific subnets to advertise? If so, the problem is I don't have specific static routes for those /24 subnets, since my static route is less specific (10.10.0.0/16).

Re: VPN to AWS with BGP

LCMember4417 — Fri, 22 Jul 2022 21:53:21 GMT

I didn't create a new VR. I didn't use the "redistribution profile" I used "import" and "Redist Rules" under BGP. I have static routes on the VR so I felt "redistribution profile" was not suitable for me so I used "Redist Rules" which allow you to specify your own subnet you want to advertise to AWS.

Also this subnets are aggregates of the static routes I have on the firewall. You can advertise any subnet here but firewall needs to know how to route them properly when traffic comes from AWS to this subnet.

I hope this clarifies things.

Re: VPN to AWS with BGP

mnashe — Wed, 27 Jul 2022 01:29:35 GMT

@LCMember4417

Tested this in lab and worked as expected. I didn't realize the Export tab in Palo Alto only works if the route is learned through BGP.