VPN to AWS with BGP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN to AWS with BGP

L1 Bithead

Hello,

 

I have 3 locations that I need to create VPNs to AWS for.  Each location is dual ISP using PBF.   Since AWS uses 2 tunnels each VPN connection, seems there will be 4 total tunnels per location (2 per ISP).  My initial thought was to use static routing but I'd like to avoid any asymmetric routing from AWS.  In these locations, we are using static routing from the palo alto firewalls to each site's core switch. I have some BGP knowledge but never needed to configure on PAN before.  

 

Here's a little about my 2 of my locations setup

Site A Core SW has the following subnets 10.10.10.0/24, 10.10.11.0/24, 10.10.13.0/24 -  10.10.20.0/24,  default route with next-hop of FW.'s trust interface.  In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP and a default route 0.0.0.0/0 next hop of ISP2's DG

 

Site B Core SW has the following subnets 10.10.50.0/24, 10.10.55.0/24, 10.10.60.0/24 -  10.10.70.0/24,  default route with next-hop of FW.'s trust interface.  In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP  and a default route 0.0.0.0/0 next hop of ISP2's DG

 

If I were to build the tunnels to AWS with BGP, my first questions are

 

  •  can I use the default virtual router or do/should I create a new virtual router and add the tunnel interfaces to that VR?
  • How do I advertise each individuals site's network to AWS using BGP?  Since 2 sites have a static route on the FW pointing to the same subnet range 10.10.0.0/16, I can redistribute that static route to AWS, since AWS will not know which tunnel to use for specific subnet.   I also don't want to advertise the default route to AWS.   On the individual firewalls do I need to remove the 10.10.0.0/16 and add static routes for each of the subnets or is there a better way to do this?

 

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

Funny I just completed making this connection to our AWS instance using BGP. As of now created a zone and assigned to AWS tunnel interface in the default routing instance. Two thing I have done with BGP configuration.

  1. Create a import rule so that I only import AWS subnets that I want into the table. This can be done by going into Virtual router>VR where tunnel inet is assigned>BGP>import. Here create new rule and under match>Address prefix add the subnet you would like to import from AWS and under Peer select the peer this routes would come from. Rest of the setting would be default.
  2. Create a redist rules under BGP>Redist Rules and specific the subnets or subnet you will like to advertise into AWS. You dont have to modify any metric or preference if you dont need them. 

I also enabled Asymetric routing on this zone since AWS recommends having two tunnels using Zone protection profile created specific for this zone and disabled "Reject non-syn tcp" and applied to the zone. It has been working so for. If you have additional question please let me know.

View solution in original post

5 REPLIES 5

L1 Bithead

anyone have advice on this?

L1 Bithead

Funny I just completed making this connection to our AWS instance using BGP. As of now created a zone and assigned to AWS tunnel interface in the default routing instance. Two thing I have done with BGP configuration.

  1. Create a import rule so that I only import AWS subnets that I want into the table. This can be done by going into Virtual router>VR where tunnel inet is assigned>BGP>import. Here create new rule and under match>Address prefix add the subnet you would like to import from AWS and under Peer select the peer this routes would come from. Rest of the setting would be default.
  2. Create a redist rules under BGP>Redist Rules and specific the subnets or subnet you will like to advertise into AWS. You dont have to modify any metric or preference if you dont need them. 

I also enabled Asymetric routing on this zone since AWS recommends having two tunnels using Zone protection profile created specific for this zone and disabled "Reject non-syn tcp" and applied to the zone. It has been working so for. If you have additional question please let me know.

hi @LCMember4417 

 

Thanks for getting back to me.  You used your existing virtual router for this or created a new VR.

 

For the redistribution profile, wouldn't the specific routes need to be in the routing table to redistribute them? Meaning, under source type, would I have to select "static" and then in destination, add the specific subnets to advertise?    If so, the problem is I don't have specific static routes for those /24 subnets, since my static route is less specific  (10.10.0.0/16).   

 

I didn't create a new VR.  I didn't use the "redistribution profile" I used "import" and "Redist Rules" under BGP.  I have static routes on the VR so I felt "redistribution profile" was not suitable for me so I used "Redist Rules" which allow you to specify your own subnet you want to advertise to AWS.

LCMember4417_0-1658526685762.png

 

Also this subnets are aggregates of the static routes I have on the firewall. You can advertise any subnet here but firewall needs to know how to route them properly when traffic comes from AWS to this subnet.

I hope this clarifies things.

@LCMember4417 

 

Tested this in lab and worked as expected.  I didn't realize the Export tab in Palo Alto only works if the route is learned through BGP. 

  • 1 accepted solution
  • 5254 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!