This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

Go to solution
Justin_Payne
L1 Bithead

‎12-16-2019 06:27 AM

Hi,

We are looking to start production in AWS and will be spinning up Hosts that need to have Ingress Traffic to Hosts on a TGW. I am looking to do the PAN AWS Sandwich (Good Idea?) for High Availability. But I need some ideas on how to quickly allocated and build NAT Rules as the operations team spins up new Hosts. I am thinking something might could be done with Dynamic Groups In PANs and Tags in AWS. So that when they spin up and tag a new server somehow the rules/NAt's get built in PANs..

 

Any ideas or feedback on the Sandwich right way for hosting inbound traffic and how to automate or quickly build NAT's would be GREATLY appreciated!

Thanks!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jmeurer
L4 Transporter

‎12-16-2019 06:33 AM

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
jmeurer
L4 Transporter

‎12-16-2019 06:33 AM

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

0 Likes Likes
  • 1 accepted solution
  • 3433 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks