Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sub Interfaces or VLAN interfaces supported on VM-300 in AWS?

L0 Member

Hi,

 

We were wondering if sub-interfaces or VLAN interfaces are supported on the VM seriies in AWS. 

 

We would like to separate customer traffic using these VLANs/ sub-interfaces as we do in our own DC, but it doesn't seem possible in AWS on the VM-300 as there are no options when I highlight the individual interface.

 

If sub-interfaces and VLANs are not supported, are there any work-arounds?

 

Thank you, Pat

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@pmchenry,

You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@pmchenry,

You are correct, this is a known limitation within AWS. The only interface type that you are allowed is layer3, and VLAN and subinterface isn't supported at all. There's really no way to workaround that issue that I'm aware of, at that point you would be having more of a design discussion about how the environment is being built out and isolated.

Hi @pmchenry 

 

Yes, @BPry  is correct we don't support sub-interfaces in Public Cloud for now. There is no workaround for this. 

As already mentioned you should plan your design and to avoid this.

 

Regards,

Torsten

"With unity we can do great things"

Hi @Welborn 

 

i dont' understand the question. could you please explain what are you trying to do?

 

Regards,

Torsten

"With unity we can do great things"

I am confused on the idea that Sub-Interfaces are not supported, I am following the Palo Alto AWS Design and Deployment documentation and very specifically they call for a Sub-Interface, here is the link for the Palo Alto published document and jump to page 79 section 3.8 titled "Add Private Sub-Interface".  This blows my mind!
LINK:  *Securing Application in AWS - Centralized Model Deployment Guide (paloaltonetworks.com)

@RDarcy you're replying to an old post when sub-interfaces were not supported. The design you're referring to leverages GWLB endpoint mapping, which allows you to associate traffic received by a GWLBe with a sub-interface and therefore security zone, however in the Central Design Model you can only separate Outbound from East/West as the chosen GWLBe is determined by the destination IP in the TGW attachment subnet's route table (good explanation at LIVEcommunity - Re: GWLB Sub-Interface - LIVEcommunity - 502945 (paloaltonetworks.com))

 

Note the sub-interfaces have no relation to VLANs, just the GWLB endpoint ID in the GENEVE header supplied by the GWLB to the firewall.

I would also recommend reading the relevant Design Guide (Securing Applications in AWS - Design Guide - Palo Alto Networks) as it explains the use of subinterfaces with AWS GWLB.

  • 1 accepted solution
  • 5980 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!