By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts

0

The customer has a specific requirement to inspect all outbound traffic from the VPCs (PROD, TEST, DEV) associated with the Transit Gateway (TGW) across different AWS accounts. To fulfill this need, they intend to deploy a Palo Alto Virtual Machine (VM) for traffic inspection purposes.

The existing setup involves a Direct Connect connection via a Transit Virtual Interface (VIF) and Transit Gateway in the Network Account.

The primary question raised by the customer is how to accomplish the deployment and configuration of the Palo Alto VM to achieve the desired traffic inspection goal. They seek guidance on the necessary steps and considerations to implement this solution effectively.

In summary, the customer's objective is to inspect outbound traffic from the VPCs associated with the Transit Gateway in different AWS accounts by deploying a Palo Alto VM, and they are seeking advice on how to proceed with this task.

Topics
Networking & Content Delivery
Tags
AWS Direct ConnectNetworking & Content DeliveryAWS Transit Gateway
Language
English
Ali Md
asked 9 months ago402 views
2 Answers
0

Palo Alto has a good deployment guide to designing and configuring Palo Alto VM in AWS with the purpose of inspecting traffic passing from VPCs through a Transit Gateway.

Check their centralised design model.

In the centralised design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect.

The second half of the guide includes step-by-step instructions to configure the AWS infrastructure and Palo Alto itself.

AWS
Max
answered 9 months ago
  • Ali Md
    9 months ago

    Thank You Max

  • Max
    9 months ago

    Happy to help, Ali. If the response accurately and directly answers your question, please consider marking it as "accepted" to help other community members easily find information they are seeking.

-2
Accepted Answer

Here is the guide on how to accomplish that https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

If you're planning to deploy a single Palo Alto VM, then you can remove the GWLB.

The idea would be the spoke VPCs (PROD, TEST, DEV) would have a default route to the inspection VPC, and from the inspection VPC to the Palo Alto ENI, and then the NATGW.

profile pictureAWS
Matt_E
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content