VM-Series Articles

Announcements
Customer Notice: we are currently experiencing login issues with Live. We are working to resolve this as quickly as possible. Thanks for your patience.

AWS VM-Series Firewall Bootstrap with VPC Endpoints

by mlue on ‎09-08-2016 08:16 AM - edited on ‎10-13-2016 03:44 PM by Community Manager (862 Views)

VPC endpoints and the VM-Series firewall

VPC Endpoints is a feature provided by AWS that enables users to create a private connection between a VPC and other AWS services without an internet connection.  With this feature, the VM-Series firewall can retrieve bootstrap configuration files from the S3 bucket without attaching an EIP to the management interface or creating a NAT gateway to provid ane internet connection for the management interface.

 

Configure and Enable VPC Endpoint for S3 Service

 

Log in to the AWS console.  Select the region where your VPC resides.

Screen Shot 2016-09-07 at 9.51.59 AM.png

 

Go to your VPC, make sure "DNS resolution" is enabled (yes).  

NOTE: VPC Endpoints will not work if DNS resolution is disabled.

2016-09-08_vpc1.png

 

We need to create a new S3 bucket that is in the same region as the VPC.  You cannot create an endpoint for a service in a different region.

 

Under the AWS console, go to S3 and create a new S3 bucket.  Make sure the region selected for the S3 bucket matches to the region of the VPC you are creating the endpoint for.  Once the S3 bucket is created successfully, configure the S3 bucket for bootstrap.  You can follow the instructions here.

 

2016-09-08_vpc2.png

 

When the S3 bucket is ready, go to your VPC and select Endpoints from the VPC Dashboard.

  2016-09-08_vpc3.png

 

Click on the "Create Endpoint" button.  Select the VPC you are creating the endpoint for and select the S3 service from the Service dropdown menu.  Set the policy to "Full Access" and click on the "Next Step" button to continue.

Screen Shot 2016-09-07 at 10.15.13 AM.png

Select the management route table and click on the "Create Endpoint" button to complete the process.  The management route table is the route table associated to the management subnet you created for your VPC.

 

2016-09-08_vpc4.png 

 

The new endpoint should be listed under your VPC -> Endpoints once it is created successfully.

Screen Shot 2016-09-07 at 10.20.53 AM.png

 

The endpoint route should be added automatically to your management route table.

2016-09-08_vpc5.png

 

Give AWS a few minutes to update their system for the new endpoint.  The VM-Series firewall can now connect to the S3 bucket and retrieve the bootstrap configuration files using private network.

 

See also

AWS VPC Endpoints Documentation

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

 

Bootstrap Palo Alto VM-Series firewall in AWS

https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/bootstrap-the-vm-ser...

Register now
Ask Questions Get Answers Join the Live Community