07-19-2022 09:10 AM - edited 07-19-2022 09:12 AM
Hello,
I have 3 locations that I need to create VPNs to AWS for. Each location is dual ISP using PBF. Since AWS uses 2 tunnels each VPN connection, seems there will be 4 total tunnels per location (2 per ISP). My initial thought was to use static routing but I'd like to avoid any asymmetric routing from AWS. In these locations, we are using static routing from the palo alto firewalls to each site's core switch. I have some BGP knowledge but never needed to configure on PAN before.
Here's a little about my 2 of my locations setup
Site A Core SW has the following subnets 10.10.10.0/24, 10.10.11.0/24, 10.10.13.0/24 - 10.10.20.0/24, default route with next-hop of FW.'s trust interface. In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP and a default route 0.0.0.0/0 next hop of ISP2's DG
Site B Core SW has the following subnets 10.10.50.0/24, 10.10.55.0/24, 10.10.60.0/24 - 10.10.70.0/24, default route with next-hop of FW.'s trust interface. In FW's default virtual router, there is a static route for 10.10.0.0/16 with a next-hop of Core SW IP and a default route 0.0.0.0/0 next hop of ISP2's DG
If I were to build the tunnels to AWS with BGP, my first questions are
07-21-2022 09:29 PM
Funny I just completed making this connection to our AWS instance using BGP. As of now created a zone and assigned to AWS tunnel interface in the default routing instance. Two thing I have done with BGP configuration.
I also enabled Asymetric routing on this zone since AWS recommends having two tunnels using Zone protection profile created specific for this zone and disabled "Reject non-syn tcp" and applied to the zone. It has been working so for. If you have additional question please let me know.
07-20-2022 06:22 PM
anyone have advice on this?
07-21-2022 09:29 PM
Funny I just completed making this connection to our AWS instance using BGP. As of now created a zone and assigned to AWS tunnel interface in the default routing instance. Two thing I have done with BGP configuration.
I also enabled Asymetric routing on this zone since AWS recommends having two tunnels using Zone protection profile created specific for this zone and disabled "Reject non-syn tcp" and applied to the zone. It has been working so for. If you have additional question please let me know.
07-22-2022 07:51 AM
Thanks for getting back to me. You used your existing virtual router for this or created a new VR.
For the redistribution profile, wouldn't the specific routes need to be in the routing table to redistribute them? Meaning, under source type, would I have to select "static" and then in destination, add the specific subnets to advertise? If so, the problem is I don't have specific static routes for those /24 subnets, since my static route is less specific (10.10.0.0/16).
07-22-2022 02:46 PM - edited 07-22-2022 02:53 PM
I didn't create a new VR. I didn't use the "redistribution profile" I used "import" and "Redist Rules" under BGP. I have static routes on the VR so I felt "redistribution profile" was not suitable for me so I used "Redist Rules" which allow you to specify your own subnet you want to advertise to AWS.
Also this subnets are aggregates of the static routes I have on the firewall. You can advertise any subnet here but firewall needs to know how to route them properly when traffic comes from AWS to this subnet.
I hope this clarifies things.
07-26-2022 06:29 PM
Tested this in lab and worked as expected. I didn't realize the Export tab in Palo Alto only works if the route is learned through BGP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
