Transit Gateway connection from customer gateway using Palo Alto without BGP
A customer needs to connect his site to a Transit Gateway (which will be connected to several VPCs) using a Palo Alto firewall on premise, following this standard architecture (https://docs.aws.amazon.com/en_pv/vpc/latest/tgw/transit-gateway-isolated-shared.html). Key aspect is they want to connect without using BGP.
As described in this AWS doc (https://docs.aws.amazon.com/vpc/latest/adminguide/GenericConfigNoBGP.html), it should be possible to do so in environments with other manufacturers. However, Palo Alto is not listed as one of the devices with a template for not using BGP.
The Palo Alto documentation (https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-integration/secure-your-public-cloud-deployment-with-prisma-access/onboard-aws-vpcs) describes how to connect to such transit gateway using either static routes, default routes or BGP routing, so I assume it would be possible to do so.
Anybody has faced a similar requirement from a customer and could confirm or deny my proposal?
The Palo Alto's own documentation seems to have a good guide how to make the static route VPN connection. It even includes guide how to setup "tunnel monitor" that will failover the connection if the primary VPN connection goes down. The BGP is used to dynamically advertise networks between AWS and customer. Plus it provides this automatic failover without need to configure it separately.
I have not implemented this static route Palo Alto setup but previously I have administrated BGP based Palo Alto connections to AWS. So for me the guide made sense and I don't see any reasons why it wouldn't work.
But as said without the BGP they will need to maintain the static routes both on AWS VPC and Palo Alto side.
Relevant questions
Transit Gateway to Direct Connect Gateway to Transit Gateway
Accepted Answerasked 2 years agoTransit Gateway - number of prefixes from TGW->CGW
Accepted Answerasked 3 years agoAWS Transit Gateway Routing Features
Accepted Answerasked 3 years agoTransit Gateway connection from customer gateway using Palo Alto without BGP
Accepted Answerasked 3 years agoDNS Query from ec2 instance not hitting Palo alto firewall
asked 4 months agoCan we form AWS Transit Gateway attachments using <1Gbps hosted DX?
Accepted Answerasked 3 years agoWith a Site-to-Site VPN, how can I set the neighbor remote-as BGP to something other than 65000?
asked 4 months agoSecurity VPC is not working with Transit Gateway
Accepted Answerasked 10 months agoTerminate each Site-to-Site VPN Tunnels to Multiple Customer Gateways
Accepted Answerasked 2 years agoTransit Gateway and SD-WAN
Accepted Answerasked 3 years ago