Loopback is configured on router in at a HUB site and we want to ping the IP of an instance in VPC-1.
We are advertising the loopback IP (/32) from HUB site as shown in the above diagram. Loopback will be advertised from Hub site to TG (Transit gateway in AWS) via BGP , then this will be advertised from TG to Palo Alto firewall. Again from Palo Alto firewall this loopback should be advertised back to TG and from TG to destination VPC 1.
Can we advertise the loopback IP from firewall back to TG vis BGP route advertisement. If yes , then how.
The TGW which the DX links are attached to will have been configured with an ASN. This ASN will be part of the AS_PATH attached to the /32 prefix which it is received by the Palo Altos. As such the TGW will not accept /32 being advertised from the Palo Alto as a loop avoidance measure. To mitigate this issue you need to have the TGW ASN only appear once in the routing path.
A possible solution would be to create a VPN tunnel from the on-premise hub site direct to the virtual Palo Alto, then allow the virtual Palo Alto to peer with the TGW via the VPN attachments. The TGW ASN would then only appear once in the AS_PATH.
Couldn't you create another TGW 'behind' the Palo Altos and attach VPC1 and VPC2 to it. This way traffic would have to flow through the Palos which is what you are trying to achieve.
Currently your topology looks as if you have placed all of your EC2 compute in the DMZ in front of the firewall perimeter, except maybe worse as traffic to those hosts is not secured by the firewall, so they are more like bastion hosts.
Granted this is all a private network so the above statement is probably not that alarming(!) but it makes more sense to place the compute logically behind the firewalls.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!