AWS / Multiple subnets across multiple AZs - Multiple NICS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS / Multiple subnets across multiple AZs - Multiple NICS?

L0 Member

Very new to VM-300 and PA, deploying it in AWS with 2 availability zones.

 

We'd like to have 3 private subnets in each AZ - DMZ, application, and data, as well as a public subnet for the EIP interface.  Ideally all traffic between subnets would flow through the VM-300, but this doesn't seem possible to us without multiple NICs, one per subnet.  Is that accurate?

 

I'm trying to understand what best practices are with this architecture.  Should we simply call public untrust and everything else trusted, and then just have one NIC in each, or is there a way that we can have all traffic between the subnets, or at least between the DMZ and others transit the VM-300?

 

The limitation of course on NICs is cost - the instances with 8 network interfaces are prohibitively expensive for a firewall.

 

Any suggestions would be appreciated.

3 REPLIES 3

L2 Linker

Hello,

   In AWS the firewall needs to have an interface in the subnet for it to be able to see the traffic. 

 

One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.

 

We are working on a  fully automated solution and it should be relased in the next few weeks.

You can contact your SE and have them setup a meeting with folks here  @ paloalto networks and we'll be happy to give you an overview.

 

 

 


@niyengar wrote:

Hello,

   In AWS the firewall needs to have an interface in the subnet for it to be able to see the traffic. 

 

One other solution is to use a Transit VPC. This will be a centralized VPC with firewalls and then other VPCS with variouis APPS connect to this VPC to send data out (outbound protection) and you can also achieve inter-VPC security.

 

We are working on a  fully automated solution and it should be relased in the next few weeks.

@You can contact your SE and have them setup a meeting with folks here  @ paloalto networks and we'll be happy to give you an overview.

 

 


Great... sounds intriguing.  I submitted a request online but haven't heard.

 

Is there an easier way to identify the SE that would handle our account?

What company do you represent? 

If you don't want to advertise here, you can unicast me at niyengar[at]paloaltonetworks[dot]com

  • 3215 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!