Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Insight On Combining AWS Global Accelerator, Palo Alto NGFW, and SD-WAN on AWS

0

We are currently designing a test architecture on AWS using Palo Alto VM-Series for both SD-WAN (IPSec from on-prem) and NGFW for centralized traffic inspection via Transit Gateway.

Current design:

  • On-prem Palo Alto → IPSec (SD-WAN) → VM-Series (SD-WAN VPC, public subnet)
  • Traffic forwarded to NGFW (Inspection VPC) via Transit Gateway (Appliance Mode)
  • Then routed to workload VPC (EC2/RDS)

We are exploring whether AWS Global Accelerator can be integrated into this architecture to improve performance and global access.

Questions:

  1. Is it possible to place AWS Global Accelerator in front of Palo Alto VM-Series (SD-WAN or NGFW) to optimize traffic for north-south inspection?
  2. Can AWS Global Accelerator be used in conjunction with IPSec/SD-WAN tunnels, or is it limited to TCP/UDP-based public endpoints only?
  3. If GA cannot be used in the SD-WAN/IPSec path, what is the recommended architecture to achieve:
  • Global performance optimization
  • Secure access (potentially with SAML/IdP integration)
  • Centralized inspection via NGFW
  1. Would using AWS Site-to-Site VPN with acceleration (via Transit Gateway) be a more suitable alternative compared to Palo Alto SD-WAN for this use case?
  2. Are there best practices for combining:
  • Palo Alto NGFW (VM-Series)
  • Transit Gateway (Appliance Mode)
  • AWS Global Accelerator (if applicable), in a hybrid connectivity scenario?

Additional Context:

  • No ALB/NLB currently used in the test env
  • NGFW is deployed in private subnet (Inspection VPC)

We are trying to understand the feasibility, limitations, and recommended design patterns for integrating GA in this architecture.

Topics
Networking & Content Delivery
Tags
Amazon VPCAWS Global AcceleratorAWS Transit GatewayNetwork SecurityNetworking & Content Delivery
Language
English
asked a month ago37 views
1 Answer
0

1) Can AWS Global Accelerator be placed in front of Palo Alto VM-Series?

Yes, for just standard north-south traffic control through fw rules (if the traffic lands on a supported public endpoint model such as NLB, ALB, EC2, or Elastic IP. It is not a good fit)

2) Can GA be used with IPSec / SD-WAN tunnels?

GA is mainly for public endpoint traffic. The AWS supported VPN acceleration case is AWS S2S VPN attached to Transit Gateway, where AWS uses GA.

3) If not, what is the recommended architecture?

Use GA for public application traffic, Transit Gateway + appliance mode for central routing and inspection, and a dedicated inspection VPC for the firewall .

4) Is AWS Site-to-Site VPN with acceleration more suitable than Palo Alto SD-WAN here?

If you specifically need Palo Alto SD-WAN features and policy control, keep Palo Alto for WAN, but do not expect GA to optimize that tunnel path directly.

5) Best practices for Palo Alto NGFW + TGW + GA?

Use TGW appliance mode for symmetric stateful inspection, keep firewalls in a dedicated inspection and security VPC, and for scale use Gateway Load Balancer + VM Series. Use GA only for valid public traffic use cases.

EXPERT
answered a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content