VPC Endpoints is a feature provided by AWS that enables users to create a private connection between a VPC and other AWS services without an internet connection. With this feature, the VM-Series firewall can retrieve bootstrap configuration files from the S3 bucket without attaching an EIP to the management interface or creating a NAT gateway to provid ane internet connection for the management interface.
Configure and Enable VPC Endpoint for S3 Service
Log in to the AWS console. Select the region where your VPC resides.
Go to your VPC, make sure "DNS resolution" is enabled (yes).
NOTE: VPC Endpoints will not work if DNS resolution is disabled.
We need to create a new S3 bucket that is in the same region as the VPC. You cannot create an endpoint for a service in a different region.
Under the AWS console, go to S3 and create a new S3 bucket. Make sure the region selected for the S3 bucket matches to the region of the VPC you are creating the endpoint for. Once the S3 bucket is created successfully, configure the S3 bucket for bootstrap. You can follow the instructions here.
When the S3 bucket is ready, go to your VPC and select Endpoints from the VPC Dashboard.
Click on the "Create Endpoint" button. Select the VPC you are creating the endpoint for and select the S3 service from the Service dropdown menu. Set the policy to "Full Access" and click on the "Next Step" button to continue.
Select the management route table and click on the "Create Endpoint" button to complete the process. The management route table is the route table associated to the management subnet you created for your VPC.
The new endpoint should be listed under your VPC -> Endpoints once it is created successfully.
The endpoint route should be added automatically to your management route table.
Give AWS a few minutes to update their system for the new endpoint. The VM-Series firewall can now connect to the S3 bucket and retrieve the bootstrap configuration files using private network.
AWS VPC Endpoints Documentation
Bootstrap Palo Alto VM-Series firewall in AWS