By using AWS re:Post, you agree to the Terms of Use
/Transit Gateway connection from customer gateway using Palo Alto without BGP/

Transit Gateway connection from customer gateway using Palo Alto without BGP


A customer needs to connect his site to a Transit Gateway (which will be connected to several VPCs) using a Palo Alto firewall on premise, following this standard architecture ( Key aspect is they want to connect without using BGP.

As described in this AWS doc (, it should be possible to do so in environments with other manufacturers. However, Palo Alto is not listed as one of the devices with a template for not using BGP.

The Palo Alto documentation ( describes how to connect to such transit gateway using either static routes, default routes or BGP routing, so I assume it would be possible to do so.

Anybody has faced a similar requirement from a customer and could confirm or deny my proposal?

1 Answers
Accepted Answer

The Palo Alto's own documentation seems to have a good guide how to make the static route VPN connection. It even includes guide how to setup "tunnel monitor" that will failover the connection if the primary VPN connection goes down. The BGP is used to dynamically advertise networks between AWS and customer. Plus it provides this automatic failover without need to configure it separately.

I have not implemented this static route Palo Alto setup but previously I have administrated BGP based Palo Alto connections to AWS. So for me the guide made sense and I don't see any reasons why it wouldn't work.

But as said without the BGP they will need to maintain the static routes both on AWS VPC and Palo Alto side.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions