Amazon AWS VPN (VPC)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Amazon AWS VPN (VPC)

Not applicable

Hi all,


We are working on moving some of our servers to AWS and they require 2 VPN redundant tunnels to be configured with our network. Amazon suggested to terminate the VPN on Internet edge router because the VPN redundancy requires BGP. Between the Internet edge router and the Palo Alto firewall, it is unprotected (but it will be on our physical premises).


I have suggested to project team to terminate the VPN on Palo Alto instead. However, in this case, the PA3020 has to run BGP which is supported. My questions are:

- whether running BGP will have a significant impact on performance?

- As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?  

Do you have any best practice and recommendations for this VPN connectivity?

Thanks! 

FYI:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

vs.

NIST 800-77 (http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf) a standard for all US federal agencies to follow:

3 - Traffic Not Protected by IPsec. Organizations should consider carefully the threats against network traffic after it has been processed by the receiving IPsec gateway and sent without IPsec protection across additional network segments. For example, an organization that wants to place its VPN gateway outside its Internet firewalls should ensure that the traffic passing between the IPsec gateway and the Internet firewalls has sufficient protection against breaches of confidentiality and integrity.

4 REPLIES 4

L7 Applicator

Hello Peterpan,

- whether running BGP will have a significant impact on performance?

Ans: It depends upon how many routes you are having into your  PAN routing table.  Generally speaking, if you configure BGP on a PAN firewall and having route-filter to import and export limited routes from PAN firewall, in that situation it would not take large CPU cycles from the PAN management plane.


--As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work? 

Ans: Yes, it will work perfectly. As, creating an another virtual-router means, the PAN firewall will create an another routing table ( segregation of routing table)


--Do you have any best practice and recommendations for this VPN connectivity?


Ans: VPN traffic will be encrypted by ESP/AH header. Hence an extra layer will be added on the top of the packet. Hence adjust the TCP MSS or reduce it to 1420 will be a good practice. Secondly, using a higher length encryption key ( AES-256, 3 DES ) might bring latency during traffic flow, because it will take more CPU cycles to encrypt/decrypt traffic on PAN firewall. I would recommend you to use AES-128 on both VPN gateways.


Hope this helps.

Thanks

Thanks for the great answer. By BGP filtering, do you mean implementing BGP filtering on the Edge router or on the PAN itself (an available feature?)?

Another question is whether I should insist VPN termination on the firewall and not the Internet edge router as the latter is Amazon's authoritative recommendation but NIST has some caution against it. I look like an idiot to our team because Amazon is God to them.  

Hello Peterpan,

1) I am talking about route filter implementation on PAN firewall itself. PAN is having capability to filter routes ( advartize by BGP peers) and accordingly install into it's rib/routing-table ( routing information base).

These docs might help you to implement BGP:

How to Configure BGP Route Filtering

BGP Traffic Engineering

How to Perform Route Filtering with BGP

2) How many VPN tunnels you are planning to terminate into the PAN firewall..? Smiley Happy

Thanks

Amazon requires 2 VPN tunnels per firewall (and we have 2 firewalls). We have around a dozen of tunnels but they are quite low traffic.

Thanks a lot for your great reply!!

  • 5036 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!