Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

Reply
Highlighted
L1 Bithead

Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

Hi,

We are looking to start production in AWS and will be spinning up Hosts that need to have Ingress Traffic to Hosts on a TGW. I am looking to do the PAN AWS Sandwich (Good Idea?) for High Availability. But I need some ideas on how to quickly allocated and build NAT Rules as the operations team spins up new Hosts. I am thinking something might could be done with Dynamic Groups In PANs and Tags in AWS. So that when they spin up and tag a new server somehow the rules/NAt's get built in PANs..

 

Any ideas or feedback on the Sandwich right way for hosting inbound traffic and how to automate or quickly build NAT's would be GREATLY appreciated!

Thanks!

Tags (3)

Accepted Solutions
Highlighted
L3 Networker

Re: Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!