09-17-2020 11:24 AM
Hi,
We were wondering if sub-interfaces or VLAN interfaces are supported on the VM seriies in AWS.
We would like to separate customer traffic using these VLANs/ sub-interfaces as we do in our own DC, but it doesn't seem possible in AWS on the VM-300 as there are no options when I highlight the individual interface.
If sub-interfaces and VLANs are not supported, are there any work-arounds?
Thank you, Pat
09-17-2020 09:41 PM
You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated.
09-17-2020 09:41 PM
You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated.
09-29-2020 03:39 AM
Hi @Welborn
i dont' understand the question. could you please explain what are you trying to do?
Regards,
Torsten
01-22-2024 09:48 PM
I am confused on the idea that Sub-Interfaces are not supported, I am following the Palo Alto AWS Design and Deployment documentation and very specifically they call for a Sub-Interface, here is the link for the Palo Alto published document and jump to page 79 section 3.8 titled "Add Private Sub-Interface". This blows my mind!
LINK: *Securing Application in AWS - Centralized Model Deployment Guide (paloaltonetworks.com)
01-24-2024 10:41 PM
@RDarcy you're replying to an old post when sub-interfaces were not supported. The design you're referring to leverages GWLB endpoint mapping, which allows you to associate traffic received by a GWLBe with a sub-interface and therefore security zone, however in the Central Design Model you can only separate Outbound from East/West as the chosen GWLBe is determined by the destination IP in the TGW attachment subnet's route table (good explanation at LIVEcommunity - Re: GWLB Sub-Interface - LIVEcommunity - 502945 (paloaltonetworks.com))
Note the sub-interfaces have no relation to VLANs, just the GWLB endpoint ID in the GENEVE header supplied by the GWLB to the firewall.
01-25-2024 12:49 AM
I would also recommend reading the relevant Design Guide (Securing Applications in AWS - Design Guide - Palo Alto Networks) as it explains the use of subinterfaces with AWS GWLB.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
