Building/Updating IPsec Tunnels Dynamically

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Building/Updating IPsec Tunnels Dynamically

L2 Linker



We have roughly 30-40 VPN tunnels built to AWS from on-prem, each being used by a different business unit for development. What happens though, is during their process they are forced to blow away their EC2 instance and create a new one. AWS then assigns new public IPs to them. Is there any way for us to pull that information in and have our PANs update dynamically for the IPsec peer address? Right now we manually update them which is very time consuimg. 


The only thing I've thought of but haven't explore too much assigning each vpn tunnel a DNS record and having an external vendor or AWS provide the updated IP, using FQDN on our PANs. 


Palo Alto Networks Guru

Your DNS idea should work.  Another option is to create an address object that gets updated via our API when there is a change but I think the DNS option is cleaner.


Or, better yet, can you change the EC2 instance to use an EIP?  When the EC2 instances gets blown away the EIP gets disassociated but not released.  Then you can re-associate the same EIP to the new EC2 instance.  Then the firewall config won't need to change at all.

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!