This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

KhurshidAnjum
L0 Member

‎05-06-2021 09:22 AM

 

Loopback is configured on router in at a HUB  site and we want to ping the IP of  an instance in  VPC-1.

KhurshidAnjum_0-1620318033696.png

We are advertising the loopback IP (/32) from HUB site as shown in the above diagram. Loopback will be advertised from  Hub site to TG (Transit gateway in AWS) via BGP , then this will be advertised from TG  to Palo Alto firewall. Again from Palo Alto firewall this loopback should be advertised back to TG and from TG to destination  VPC 1.

Can we advertise the loopback IP from firewall back to TG vis BGP route advertisement. If yes , then how.

0 Likes Likes
3 REPLIES 3

SebRupik
L3 Networker

‎05-07-2021 03:47 AM

Hi there,

The TGW which the DX links are attached to will have been configured with an ASN. This ASN will be part of the AS_PATH attached to the /32 prefix which it is received by the Palo Altos. As such the TGW will not accept /32 being advertised from the Palo Alto as a loop avoidance measure. To mitigate this issue you need to have the TGW ASN only appear once in the routing path.

 

A possible solution would be to create a VPN tunnel from the on-premise hub site direct to the virtual Palo Alto, then allow the virtual Palo Alto to peer with the TGW via the VPN attachments. The TGW ASN would then only appear once in the AS_PATH.

 

cheers,

Seb.

0 Likes Likes

KhurshidAnjum
L0 Member
In response to SebRupik

‎05-07-2021 04:20 AM

Hi Seb,



Thanks for your suggestion.

Actually we need to land the /32 IPs in TG first as we have to associate this subnet with a routing table in TG.

Hence a direct Tunnel from the Hub site to Palo Alto is not a favourable solution for me.


0 Likes Likes

SebRupik
L3 Networker
In response to KhurshidAnjum

‎05-07-2021 04:33 AM

Couldn't you create another TGW 'behind' the Palo Altos and attach VPC1 and VPC2 to it. This way traffic would have to flow through the Palos which is what you are trying to achieve.

Currently your topology looks as if you have placed all of your EC2 compute in the DMZ in front of the firewall perimeter, except maybe worse as traffic to those hosts is not secured by the firewall, so they are more like bastion hosts. 

Granted this is all a private network so the above statement is probably not that alarming(!) but it makes more sense to place the compute logically behind the firewalls.

 

cheers,

Seb.

0 Likes Likes
  • 3169 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks