06-16-2022 07:56 AM
Hi @securehops
As you can see from the document earlier one design it to use TGW for sending traffic between VPCs. In this case outbound and east-west traffic will require GWLBe (east-west and outbound) only in the Security VPC. GWLBe in each workload VPC is required only for inbound traffic (which I think we don't discuss at the moment).
The GWLBe in the workload VPCs are used only for inbound traffic and if you want you can associate each one with different zone. Those zones you will use for intra-zone rules for inbound traffic (or you can associated all inbound GWLBe with single zone)
About the rule examples you are absolutely right:
- Any traffic between VPCs should be intra-zone rule with "east-west" zone specifing source and destination addresses
- Any Outbound traffic to internet should be intra-zone rule with "outbound" zone and specifing source and destination addresses. In this case you also don't configure NAT on the firewall, it is done by AWS with NAT GW.
Not sure if you already have check this, but I would suggest you to go over these documents - https://www.paloaltonetworks.com/resources/reference-architectures/aws
Check first AWS Reference Architecture Guide - Palo Alto Networks which describe the possible architectures based on your requirements
After that you can check the specific deployment guide which again give some explanation about the design and then give detailed deployment steps.
