Paloalto VM Series VPC Peering support on AWS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Paloalto VM Series VPC Peering support on AWS

L2 Linker

Tested traffic within a same VPC it's working fine, use ENI of paloalto's LAN interface as a target

 

But I have no idea, when we have 2 VPC (VPC-A and VPC-B) and we installed paloalto on VPC-A

How to direct traffic from VPC-B to paloalto and then access to the internet via paloalto?

AWS

8 REPLIES 8

L3 Networker

Hi @nattapong_thi,

 

Greetings from Palo Alto Networks!

 

I saw your post and have a few recommendations for you. You may want to look at it initially, does this help?

 

You could use a Transit Gateway for inter-VPC communication, and then a NAT Gateway in VPC-A for outbound connections to the Internet. Create the below routes for Outbound:
 

  1. Forward all traffic from VPC-B to TGW
  2. Forward all traffic from TGW to FW in VPC-A
  3. Forward all traffic from FW to NATGW
  4. Forward all traffic from NATGW to IGW

To access the internet, You will need IGW and NAT GW also part of VPC B. Please confirm how the 2 VPCs are connected. are they connected with TGW?


Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions
*Don’t forget to accept the solution provided!*
 

Hi @psampatahire 

 

After I used transit gateway, it's seemed client inside VPC-B still unable to access the internet (but can communicate with ec2 inside VPC-A)

 

VPC-B ec2 --> Transit GW --> Paloalto's LAN eni --> NAT GW --> IGW

 

After I test using network reachability, It's look like traffic could not hit IGW

 

Route table rtb does not have an applicable route to igw
Internet gateway igw cannot accept traffic with spoofed addresses from the VPC.

Hi @nattapong_thi,

 

can you check the transit gw route tables to see if traffic from VPC-B is able to reach the security vpc (where the firewall is deployed)? The routes to VPC-A and to the security VPC should be different.

 

Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions

 

 

Hello @nattapong_thi,

 

Greeting!

 

Please let us know whether you are still facing the problem.

 

Regards,
Prerna Ahire
Product Specialist
Palo Alto Networks
https://live.paloaltonetworks.com/t5/configuration-discussions/ct-p/Configuration-Discussions

 

 

Please help to guide me

 

Forward all traffic from TGW to FW in VPC-A

 

How to configure this task, from transit gateway routing, it does not have an option to forward to Firewall ENI

L1 Bithead

Hi @nattapong_thi 

You can configure a route table which will be used by the TGW subnet(A TGW ENI is attached to this subnet) in VPC-A.

Then in that route table, create a route to forward all traffic to the Firewall ENI.

 

 

After configuring a route on subnet of transit gateway, traffic can reach the firewall, log generated with source NAT ip

but it's still unable to connect internet (ping 8.8.8.8)

 

*** If I change 0.0.0.0 on transit gateway routing table from firewall's eni to NAT gateway directly, it's working properly

L2 Linker

Do you have appliance mode enabled on the attachment thats connected to the firewalls VPC?

Also based on your previous reply, you would need to do a NAT destined to internet addresses so the replies passes trough the palo alto, either a NAT or you could create a route(Private addresses or VPC B) from the NAT gateway to reply back to the palo alto.

Gabriel Montiel
  • 3998 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!