Transit Gateway connection from customer gateway using Palo Alto without BGP
A customer needs to connect his site to a Transit Gateway (which will be connected to several VPCs) using a Palo Alto firewall on premise, following this standard architecture (https://docs.aws.amazon.com/en_pv/vpc/latest/tgw/transit-gateway-isolated-shared.html). Key aspect is they want to connect without using BGP.
As described in this AWS doc (https://docs.aws.amazon.com/vpc/latest/adminguide/GenericConfigNoBGP.html), it should be possible to do so in environments with other manufacturers. However, Palo Alto is not listed as one of the devices with a template for not using BGP.
The Palo Alto documentation (https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-integration/secure-your-public-cloud-deployment-with-prisma-access/onboard-aws-vpcs) describes how to connect to such transit gateway using either static routes, default routes or BGP routing, so I assume it would be possible to do so.
Anybody has faced a similar requirement from a customer and could confirm or deny my proposal?
The Palo Alto's own documentation seems to have a good guide how to make the static route VPN connection. It even includes guide how to setup "tunnel monitor" that will failover the connection if the primary VPN connection goes down. The BGP is used to dynamically advertise networks between AWS and customer. Plus it provides this automatic failover without need to configure it separately.
I have not implemented this static route Palo Alto setup but previously I have administrated BGP based Palo Alto connections to AWS. So for me the guide made sense and I don't see any reasons why it wouldn't work.
But as said without the BGP they will need to maintain the static routes both on AWS VPC and Palo Alto side.
Transit Gateway to Direct Connect Gateway to Transit GatewayAccepted Answerasked 2 years ago
Transit Gateway - number of prefixes from TGW->CGWAccepted Answerasked 3 years ago
AWS Transit Gateway Routing FeaturesAccepted Answerasked 3 years ago
Transit Gateway connection from customer gateway using Palo Alto without BGPAccepted Answerasked 3 years ago
DNS Query from ec2 instance not hitting Palo alto firewallasked 4 months ago
Can we form AWS Transit Gateway attachments using <1Gbps hosted DX?Accepted Answerasked 3 years ago
With a Site-to-Site VPN, how can I set the neighbor remote-as BGP to something other than 65000?asked 4 months ago
Security VPC is not working with Transit GatewayAccepted Answerasked 10 months ago
Terminate each Site-to-Site VPN Tunnels to Multiple Customer GatewaysAccepted Answerasked 2 years ago
Transit Gateway and SD-WANAccepted Answerasked 3 years ago