AWS VM-Series Firewall Bootstrap with VPC Endpoints

by mlue on ‎09-08-2016 08:16 AM - edited on ‎07-21-2017 01:57 PM by (3,424 Views)

VPC Endpoints and the Palo Alto Networks VM-Series firewall

VPC Endpoints is a feature provided by AWS that enables users to create a private connection between a VPC and other AWS services without an internet connection.  With this feature, the VM-Series firewall can retrieve bootstrap configuration files from the S3 bucket without attaching an EIP to the management interface or creating a NAT gateway to provid ane internet connection for the management interface.


Configure and Enable VPC Endpoint for S3 Service


Log in to the AWS console.  Select the region where your VPC resides.

Screen Shot 2016-09-07 at 9.51.59 AM.png


Go to your VPC, make sure "DNS resolution" is enabled (yes).  

NOTE: VPC Endpoints will not work if DNS resolution is disabled.



We need to create a new S3 bucket that is in the same region as the VPC.  You cannot create an endpoint for a service in a different region.


Under the AWS console, go to S3 and create a new S3 bucket.  Make sure the region selected for the S3 bucket matches to the region of the VPC you are creating the endpoint for.  Once the S3 bucket is created successfully, configure the S3 bucket for bootstrap.  You can follow the instructions here.




When the S3 bucket is ready, go to your VPC and select Endpoints from the VPC Dashboard.



Click on the "Create Endpoint" button.  Select the VPC you are creating the endpoint for and select the S3 service from the Service dropdown menu.  Set the policy to "Full Access" and click on the "Next Step" button to continue.

Screen Shot 2016-09-07 at 10.15.13 AM.png

Select the management route table and click on the "Create Endpoint" button to complete the process.  The management route table is the route table associated to the management subnet you created for your VPC.


2016-09-08_vpc4.png *Note* When deploying the firewall.template into an existing VPC, you must use the Untrust route table for the Firewalls to bootstrap prior to the interface swap. 


The new endpoint should be listed under your VPC -> Endpoints once it is created successfully.

Screen Shot 2016-09-07 at 10.20.53 AM.png


The endpoint route should be added automatically to your management route table.



Give AWS a few minutes to update their system for the new endpoint.  The VM-Series firewall can now connect to the S3 bucket and retrieve the bootstrap configuration files using private network.


See also

AWS VPC Endpoints Documentation


Bootstrap Palo Alto VM-Series firewall in AWS

Ignite 2018
Ask Questions Get Answers Join the Live Community