En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts

0

The customer has a specific requirement to inspect all outbound traffic from the VPCs (PROD, TEST, DEV) associated with the Transit Gateway (TGW) across different AWS accounts. To fulfill this need, they intend to deploy a Palo Alto Virtual Machine (VM) for traffic inspection purposes.

The existing setup involves a Direct Connect connection via a Transit Virtual Interface (VIF) and Transit Gateway in the Network Account.

The primary question raised by the customer is how to accomplish the deployment and configuration of the Palo Alto VM to achieve the desired traffic inspection goal. They seek guidance on the necessary steps and considerations to implement this solution effectively.

In summary, the customer's objective is to inspect outbound traffic from the VPCs associated with the Transit Gateway in different AWS accounts by deploying a Palo Alto VM, and they are seeking advice on how to proceed with this task.

Sujets
Réseaux et diffusion de contenu
Balises
AWS Direct ConnectRéseaux et diffusion de contenuPasserelle de transit AWS
Langue
English
Ali Md
demandé il y a 9 mois437 vues
2 réponses
0

Palo Alto has a good deployment guide to designing and configuring Palo Alto VM in AWS with the purpose of inspecting traffic passing from VPCs through a Transit Gateway.

Check their centralised design model.

In the centralised design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect.

The second half of the guide includes step-by-step instructions to configure the AWS infrastructure and Palo Alto itself.

AWS
Max
répondu il y a 9 mois
  • Ali Md
    il y a 9 mois

    Thank You Max

  • Max
    il y a 9 mois

    Happy to help, Ali. If the response accurately and directly answers your question, please consider marking it as "accepted" to help other community members easily find information they are seeking.

-2
Réponse acceptée

Here is the guide on how to accomplish that https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

If you're planning to deploy a single Palo Alto VM, then you can remove the GWLB.

The idea would be the spoke VPCs (PROD, TEST, DEV) would have a default route to the inspection VPC, and from the inspection VPC to the Palo Alto ENI, and then the NATGW.

profile pictureAWS
Matt_E
répondu il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents