AWS / Multiple subnets across multiple AZs - Multiple NICS?

Reply
L0 Member

AWS / Multiple subnets across multiple AZs - Multiple NICS?

Very new to VM-300 and PA, deploying it in AWS with 2 availability zones.

 

We'd like to have 3 private subnets in each AZ - DMZ, application, and data, as well as a public subnet for the EIP interface.  Ideally all traffic between subnets would flow through the VM-300, but this doesn't seem possible to us without multiple NICs, one per subnet.  Is that accurate?

 

I'm trying to understand what best practices are with this architecture.  Should we simply call public untrust and everything else trusted, and then just have one NIC in each, or is there a way that we can have all traffic between the subnets, or at least between the DMZ and others transit the VM-300?

 

The limitation of course on NICs is cost - the instances with 8 network interfaces are prohibitively expensive for a firewall.

 

Any suggestions would be appreciated.

L2 Linker

Re: AWS / Multiple subnets across multiple AZs - Multiple NICS?

Hello,

   In AWS the firewall needs to have an interface in the subnet for it to be able to see the traffic. 

 

One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.

 

We are working on a  fully automated solution and it should be relased in the next few weeks.

You can contact your SE and have them setup a meeting with folks here  @ paloalto networks and we'll be happy to give you an overview.

 

 

L0 Member

Re: AWS / Multiple subnets across multiple AZs - Multiple NICS?

 


@niyengar wrote:

Hello,

   In AWS the firewall needs to have an interface in the subnet for it to be able to see the traffic. 

 

One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.

 

We are working on a  fully automated solution and it should be relased in the next few weeks.

@You can contact your SE and have them setup a meeting with folks here  @ paloalto networks and we'll be happy to give you an overview.

 

 


Great... sounds intriguing.  I submitted a request online but haven't heard.

 

Is there an easier way to identify the SE that would handle our account?

L2 Linker

Re: AWS / Multiple subnets across multiple AZs - Multiple NICS?

What company do you represent? 

If you don't want to advertise here, you can unicast me at niyengar[at]paloaltonetworks[dot]com

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!