https://live.paloaltonetworks.com/t5/general-topics/how-to-create-acls-for-access-to-aws-workspaces-edls-don-t-cover/m-p/999908#M122693 <P>I need to create ACLs for outbound access to AWS workspaces using the destination IPs / subnets / FQDNs shown on AWS publication&nbsp;<A href="https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#ip-address-regions" target="_blank">https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#ip-address-regions</A>.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>PAN publishes an EDL for AWS workspace, but it only contains a handful of IPs.&nbsp; Some of the IPs listed in the above URL is not found even in the AWS US ALL IP EDL.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I suppose the next best thing is to create ACL using static IPs and FQDNs, but some of the FQDNs are wildcards.&nbsp; How would you create rules with these as destinations?</P> <P>&nbsp;</P> <P><SPAN>https://&lt;directory id&gt;.awsapps.com/ (where &lt;directory id&gt; is the customer's domain)</SPAN></P> <P>&nbsp;</P> <P>turn:*.us-west-2.rdn.amazonaws.com</P> <P>&nbsp;</P> <P>*.prod.us-west-2.highlander.aws.a2z.com</P> Tue, 31 Dec 2024 19:44:48 GMT Commander_JB 2024-12-31T19:44:48Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-acls-for-access-to-aws-workspaces-edls-don-t-cover/m-p/999908#M122693 <P>I need to create ACLs for outbound access to AWS workspaces using the destination IPs / subnets / FQDNs shown on AWS publication&nbsp;<A href="https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#ip-address-regions" target="_blank">https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-port-requirements.html#ip-address-regions</A>.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>PAN publishes an EDL for AWS workspace, but it only contains a handful of IPs.&nbsp; Some of the IPs listed in the above URL is not found even in the AWS US ALL IP EDL.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I suppose the next best thing is to create ACL using static IPs and FQDNs, but some of the FQDNs are wildcards.&nbsp; How would you create rules with these as destinations?</P> <P>&nbsp;</P> <P><SPAN>https://&lt;directory id&gt;.awsapps.com/ (where &lt;directory id&gt; is the customer's domain)</SPAN></P> <P>&nbsp;</P> <P>turn:*.us-west-2.rdn.amazonaws.com</P> <P>&nbsp;</P> <P>*.prod.us-west-2.highlander.aws.a2z.com</P> Tue, 31 Dec 2024 19:44:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-acls-for-access-to-aws-workspaces-edls-don-t-cover/m-p/999908#M122693 Commander_JB 2024-12-31T19:44:48Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-acls-for-access-to-aws-workspaces-edls-don-t-cover/m-p/1000007#M122715 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/196270">@Commander_JB</a>&nbsp;,</P> <P>&nbsp;</P> <P>For the wildcards, I would test out creating a separate policy that enforces a custom url category that includes all the wildcard domains you need for workspaces. Here is a KB on <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM79CAE&amp;lang=en_US%E2%80%A9" target="_self">examples of using wildcards</A>.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 02 Jan 2025 23:10:57 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-acls-for-access-to-aws-workspaces-edls-don-t-cover/m-p/1000007#M122715 JayGolf 2025-01-02T23:10:57Z