With the jumpbox, you have to ensure it that it is in the NATGateway subnet, that is the only subnet that has an IGW for the EIPs to utilize. Additionally, there is a security group created by the template that allows ports 22/3389 for access to the jumpbox. If that SG was not used for the jumpbox, ensure that your jumpbox does have the proper SG applied. As for outbound, this template was not designed for protection of traffic originating within the VPC. You can choose to create a route for your application servers pointing to the Trust side of the firewall in the corresponding AZ and validate that ETH2 has Source/Destination check disabled. You will then need to add corresponding security and hide nat policies to allow the traffic. Please note that this creates a single point of failure within the VPC. In order to perform outbound inspection of traffic originating from within the VPC, utilization of a transit VPC or other automation to monitor the firewalls and move the routes is necessary. That is topic better suited for a discussion with your Palo Alto Networks SE.
... View more