Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Ideas for On Demand NAT Allocation (AWS-Elastic IPs)

L1 Bithead

Hi,

We are looking to start production in AWS and will be spinning up Hosts that need to have Ingress Traffic to Hosts on a TGW. I am looking to do the PAN AWS Sandwich (Good Idea?) for High Availability. But I need some ideas on how to quickly allocated and build NAT Rules as the operations team spins up new Hosts. I am thinking something might could be done with Dynamic Groups In PANs and Tags in AWS. So that when they spin up and tag a new server somehow the rules/NAt's get built in PANs..

 

Any ideas or feedback on the Sandwich right way for hosting inbound traffic and how to automate or quickly build NAT's would be GREATLY appreciated!

Thanks!

1 accepted solution

Accepted Solutions

L4 Transporter

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

View solution in original post

1 REPLY 1

L4 Transporter

You can find the build-out of the LB sandwich with TGW in our reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/aws

 

As far as automation goes, we do have tag monitoring with DAG update capabilities native to the firewall in AWS.  That will not solve your NAT Policy question though.  Other customers typically build the firewall API calls into their CI/CD pipeline when the back end is built.  An example of this flow can be found in our autoscale 2.0/2.1 templates.  You can extract the PY code to incorporate it into your DevOps process.  

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

  • 1 accepted solution
  • 3418 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!