Getting AWS Transit VPC to learn routes from Palo Virtual Editions

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Getting AWS Transit VPC to learn routes from Palo Virtual Editions

L0 Member

I'm in the process of implementing a Transit VPC setup on AWS.  However, before I automate it, I want to understand it, so I'm opting to do a manual build initially.


I've been successful with getting the tunnels stood up between my Transit VPC Palos and the subscriber VPCs, as well as getting either side to learn routes from the other.


However, I am having a hard time figuring out how to gett routes exchanged between the Transit VPC Palos and the Transit VPC itself (and, ultimately, my direct-connect gateways).


Any assistance here would be greatly appreciated.


L5 Sessionator

if you go into the GitHub repo you should see a manual deployment guide. This guide was created so that folks such as yourself that want to build one manually will have all of the steps. That should walk you through the BGP portion

Thanks, but I've leaned heavily on that guide for my buildout, and I'm still not seeing how this specific item is achieved, or I'm being completely oblivious.


the "Configuring BGP" section describes setting up BGP to exchange routes with the subscribing VPCs...which I've done successfully at this point.  Where I'm falling flat is getting the Transit VPC itself (and, from there, my on-premesis routers) to learn the routes to those subscribing VPCs from the Palo virtual firewalls that reside within the Transit VPC.

Got it. I believe I understand. I created this document to get the quad zero routes to populate throughout the BGP environment. This is specific to PAN-OS so this may be exactly what you are referring to. If you have the BGP configured already then I am pretty sure this is the last step you need.


Transit VPC Default Route Prepagation using BGP



The Transit VPC firewalls can distribute the Transit VPC subnets to the spokes by adding the ETH1/1 connected subnet to the BGP redistribution profile.


With that said, the on-premisis firewalls will not learn the spoke subnets and vice versa from the Direct Connect VGW.  Here is where we typically run an IPSEC tunnel between on-prem and the transit firewalls to allow for bgp peering and route exchange.  You utilize the Direct Connect for IP transit and gain the benefit of Encrypted traffic in flight.

L1 Bithead

Hi @dmcneill,


You are probably not seeing routes due to how BGP operates, if BGP see's route advertisments coming from its own ASN it will not populate those routes. You can do some crafty BGP ninjaing with redistribution profiles, either import or export (in your case I think you would need do do some configuration on your VR's BGP import section).


Instead of working and playing with BGP configurations. I've found it easier for me to detach the virtual gateway from the Transit-VPC. From there you you can establish your point-to-point tunnels from the transit-PANW-fw's to the detached VGW. You would also have your on prem-fw (if applicable) terminate to that detached VGW. Please see below document for a little bit more clarity:


From there you can select the option to propogate routes in the respective AWS's route tables.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!