Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement
cancel
Showing results for 
Search instead for 
Did you mean: 

Can we advertise an IP of /32 from Palo Alto firewall to TG (Transit gateway) of AWS via BGP route advertisement

L0 Member

 

Loopback is configured on router in at a HUB  site and we want to ping the IP of  an instance in  VPC-1.

KhurshidAnjum_0-1620318033696.png

We are advertising the loopback IP (/32) from HUB site as shown in the above diagram. Loopback will be advertised from  Hub site to TG (Transit gateway in AWS) via BGP , then this will be advertised from TG  to Palo Alto firewall. Again from Palo Alto firewall this loopback should be advertised back to TG and from TG to destination  VPC 1.

Can we advertise the loopback IP from firewall back to TG vis BGP route advertisement. If yes , then how.

3 REPLIES 3

L2 Linker

Hi there,

The TGW which the DX links are attached to will have been configured with an ASN. This ASN will be part of the AS_PATH attached to the /32 prefix which it is received by the Palo Altos. As such the TGW will not accept /32 being advertised from the Palo Alto as a loop avoidance measure. To mitigate this issue you need to have the TGW ASN only appear once in the routing path.

 

A possible solution would be to create a VPN tunnel from the on-premise hub site direct to the virtual Palo Alto, then allow the virtual Palo Alto to peer with the TGW via the VPN attachments. The TGW ASN would then only appear once in the AS_PATH.

 

cheers,

Seb.

Hi Seb,



Thanks for your suggestion.

Actually we need to land the /32 IPs in TG first as we have to associate this subnet with a routing table in TG.

Hence a direct Tunnel from the Hub site to Palo Alto is not a favourable solution for me.


Couldn't you create another TGW 'behind' the Palo Altos and attach VPC1 and VPC2 to it. This way traffic would have to flow through the Palos which is what you are trying to achieve.

Currently your topology looks as if you have placed all of your EC2 compute in the DMZ in front of the firewall perimeter, except maybe worse as traffic to those hosts is not secured by the firewall, so they are more like bastion hosts. 

Granted this is all a private network so the above statement is probably not that alarming(!) but it makes more sense to place the compute logically behind the firewalls.

 

cheers,

Seb.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!