Need to rebuild PA-VMs in AWS to support HA...

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mylimo456
L0 Member

Need to rebuild PA-VMs in AWS to support HA...

I need to rebuild some Palo VMs that were deployed poorly in an AWS transit VPC. I'm looking for suggestions to minimize headaches and work.

 

The existing VMs are deployed as a firewall on a stick with a single management interface and public facing interface. The public facing interface terminates VPNs from several spoke VPCs as well as VPNs to two offices. Those two offices are the transit paths for close to 30 other locations. The management interface is neutered, only being used for Palo updates via a NAT gateway. All other management traffic / services use a loopback interface. Routing is all BGP. Panorama is pushing some basic device templates. I've attached a sketch showing the current state and finished state.

 

Here are the reasons for the rebuilds:

 

  • Now need Palo HA for some public facing services. HA requires eth1/1 as HA2. Currently eth1/1 is the public facing interface and handles all data plane traffic

  • Moving on-prem access from Palo VPNs to Cisco DMVPN to reduce latency and improve the user experience. All ~30 offices are already using Cisco DMVPN for WAN access. Making these AWS tenants DMVPN spokes will improve access for everyone.

  • Current Palo management access rides in the firewall data plane

I'm planning to stand up new m5.xlarge instances with four interfaces, mapping eth0-eth4 as mgmt, eth1/1 (ha2), eth1/2 (public), and eth1/3 (private). My main sticking point is finding the most efficient way to move the eth1/1 config and everything that depends on it to eth1/2. How would you approach this task knowing you have to repeat it 8x?

 

 

Hakes_Pop
L0 Member

Thanks for the information keep sharing

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!