AWS VM-Series Firewall Bootstrap with VPC Endpoints

by mlue on ‎09-08-2016 08:16 AM - edited on ‎07-21-2017 01:57 PM by (2,446 Views)

VPC Endpoints and the Palo Alto Networks VM-Series firewall

VPC Endpoints is a feature provided by AWS that enables users to create a private connection between a VPC and other AWS services without an internet connection.  With this feature, the VM-Series firewall can retrieve bootstrap configuration files from the S3 bucket without attaching an EIP to the management interface or creating a NAT gateway to provid ane internet connection for the management interface.

 

Configure and Enable VPC Endpoint for S3 Service

 

Log in to the AWS console.  Select the region where your VPC resides.

Screen Shot 2016-09-07 at 9.51.59 AM.png

 

Go to your VPC, make sure "DNS resolution" is enabled (yes).  

NOTE: VPC Endpoints will not work if DNS resolution is disabled.

2016-09-08_vpc1.png

 

We need to create a new S3 bucket that is in the same region as the VPC.  You cannot create an endpoint for a service in a different region.

 

Under the AWS console, go to S3 and create a new S3 bucket.  Make sure the region selected for the S3 bucket matches to the region of the VPC you are creating the endpoint for.  Once the S3 bucket is created successfully, configure the S3 bucket for bootstrap.  You can follow the instructions here.

 

2016-09-08_vpc2.png

 

When the S3 bucket is ready, go to your VPC and select Endpoints from the VPC Dashboard.

  2016-09-08_vpc3.png

 

Click on the "Create Endpoint" button.  Select the VPC you are creating the endpoint for and select the S3 service from the Service dropdown menu.  Set the policy to "Full Access" and click on the "Next Step" button to continue.

Screen Shot 2016-09-07 at 10.15.13 AM.png

Select the management route table and click on the "Create Endpoint" button to complete the process.  The management route table is the route table associated to the management subnet you created for your VPC.

 

2016-09-08_vpc4.png *Note* When deploying the firewall.template into an existing VPC, you must use the Untrust route table for the Firewalls to bootstrap prior to the interface swap. 

 

The new endpoint should be listed under your VPC -> Endpoints once it is created successfully.

Screen Shot 2016-09-07 at 10.20.53 AM.png

 

The endpoint route should be added automatically to your management route table.

2016-09-08_vpc5.png

 

Give AWS a few minutes to update their system for the new endpoint.  The VM-Series firewall can now connect to the S3 bucket and retrieve the bootstrap configuration files using private network.

 

See also

AWS VPC Endpoints Documentation

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

 

Bootstrap Palo Alto VM-Series firewall in AWS

https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/bootstrap-the-vm-ser...

Ask Questions Get Answers Join the Live Community