This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

AWS Privatelink for Hub and Spoke Topology

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS Privatelink for Hub and Spoke Topology

Murph
L1 Bithead

‎01-08-2025 02:31 PM - edited ‎01-08-2025 02:36 PM

HI all,

 

Need some assistance with someone who has familiarity with deploying VM-Series FW in AWS w/ AWS Privatelink....our organization currently has an existing environment that we are currently leveraging TGW's for Interconnectivity between Accounts w/ a side of VPC Peering, tends to be a bit of a rodeo. This overall seems costly compared to Privatelink when you factor in the Cost of Attachments plus Data Process GigaByte (TGW) vs PetaByte (AWS Privatelink).  Our company has entertained using Palo's as the Central Network Hub for all Ingress/Egress Traffic in terms of Inter-Zone Connectivity (VPC-to-VPC, Internet-to-VPC, VPC-to-Internet).  

We also have to adhere to the PCI-DSS Data Plane Standard in terms of Secure-to-NonSecure Traffic Flow, an which it would be:

Green VPC Environment (Non-Secure)

  • Non-Secure-to-Non-Secure (not inspected | intrazone | bi-directional)
  • Non-Secure to Secure (Inspected | interzone | bi-directional)
  • Non-Secure to Internet (Inspected | interzone | one-way}
  • DMZ to Internet (Inspected | interzone | bi-directional)

Red VPC Environment  (Secure)

  • Secure-to-Non-Secure  (inspected | inter-zone | one-way communiction to Proxy)
  • Secure to Secure (not inspected | intrazone | bi-directional)
  • Secure to Internet (Inspected | interzone | bi-directional w/Proxy sits in DMZ)

 

Here's the Kicker both environments would still need to communicate with our existing (rodeo) environment until we can consolidate to our new environment.  I have the following questions:

 

  • For DMZ Reachability into our environment via the Public Palo Interface under other Public IP's, can that be handle via creating Elastic IPs in AWS and then tie the routing back towards the Palo so it can target a NAT Policy?
  • Since Red VPC Environment would need to transit via Green VPC Environment to leverage internet would both VPC's need to be attached to TGW in order to follow proper communication with Inspection being done at both FW's or can this be tackled with VPC Peering?
  • Spoke w/ AWS on this and they lean towards more Proprietary options with IPS/IDS and preferred we used TGW for interconnectivity between Consumer VPC's (Secure and Non-Secure) and Service VPC's (Secure and Non-Secure), but I just see that as costly vs AWS PrivateLink.

Attaching ad-hoc Design

Preview file
96 KB
0 Likes Likes
0 REPLIES 0
  • 183 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks