Looking to egress AWS vpc traffic to GlobalProtect Cloud Services if that's even possible? Anyone have experience or tried doing this?
NOTE: GlobalProtect Cloud Service has changed to Prisma Access.
Solved! Go to Solution.
You should be able to form VPN between AWS VPC and Global Protect Cloud.
Are you trying VPN connection with AWS VPN Gateway or do you have a VPN capable device (Palo Alto EC2 instance for example) in your VPC ?
Thanks for the response. I'm trying to vpn between the AWS vpn gateway and the Global protect cloud. Just not sure of the configuration for this and if it's even possible?
Yes you should be able to configure VPN between GPCS Cloud and AWS VPN.
1. Create a Customer Gateway (Amazon) pointing to GPCS Cloud Public IP.
2. In VPN Connection (Amazon) specify static routes for Mobile VPN/Remote VPN subnet as well as Infrastructure subnet in GP cloud.
3. In GPCS all configuration should be same like other VPN, specify Amazon VPC as remote subnet and in tunnel monitor specify 169.X.X.X ip address specified by Amazon (this can be viewed once you click Download configuration).
Also one thing to take note that the encryption and authentication would be visible under downloaded configuration from Amazon which you will have to replicate in GPCS.
Thanks so much for the info hpunjabi! So now I'm able to successfully build the tunnel in AWS and also GPCS.
AWS Tunnels both show up
GPCS shows status of ok for remote network
The only issue I have is when I create a test machine in the AWS VPC I can't seem to send out the internet traffic through the tunnel. I'm pretty sure it's a routing issue on the AWS side.
So far I have here's the routes I have for the VPC:
local AWS subnet route and target is local
0.0.0.0/0 which is going to the internet gateway. I figured this one had to be pointed to the virtual gw, but when I change it to that it just breaks my connection to the test device in the AWS VPC.
GPCS infrastruture subnet and the target it the vgw
both tunnel 169.x.x.x addressess and the target is the vgw
Have you setup Corporate VPN ? After the VPN is up now aren't you able to get access from Corporate LAN?
One thing I can suggest is to add route for your public IP address (System or Laptop) from which you are managing test machine towards Internet Gateway and then default route towards VPN Gateway in Amazon.
This way you will have the connectivity to the test machine and you can test for Internet connection through GP cloud.
Thanks again for all the help. I did add a public route for the test IP and after troubleshooting a bit, I realized it was a route that needed to be placed on the vpn tunnel settings in AWS. I'm now able to filter traffic egressing the AWS VPC. Thanks again for all the time spent helping me out!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!