Building/Updating IPsec Tunnels Dynamically

L2 Linker

Building/Updating IPsec Tunnels Dynamically

Hi,

 

We have roughly 30-40 VPN tunnels built to AWS from on-prem, each being used by a different business unit for development. What happens though, is during their process they are forced to blow away their EC2 instance and create a new one. AWS then assigns new public IPs to them. Is there any way for us to pull that information in and have our PANs update dynamically for the IPsec peer address? Right now we manually update them which is very time consuimg. 

 

The only thing I've thought of but haven't explore too much assigning each vpn tunnel a DNS record and having an external vendor or AWS provide the updated IP, using FQDN on our PANs. 

Palo Alto Networks Guru

Re: Building/Updating IPsec Tunnels Dynamically

Your DNS idea should work.  Another option is to create an address object that gets updated via our API when there is a change but I think the DNS option is cleaner.

 

Or, better yet, can you change the EC2 instance to use an EIP?  When the EC2 instances gets blown away the EIP gets disassociated but not released.  Then you can re-associate the same EIP to the new EC2 instance.  Then the firewall config won't need to change at all.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!