Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts

0

The customer has a specific requirement to inspect all outbound traffic from the VPCs (PROD, TEST, DEV) associated with the Transit Gateway (TGW) across different AWS accounts. To fulfill this need, they intend to deploy a Palo Alto Virtual Machine (VM) for traffic inspection purposes.

The existing setup involves a Direct Connect connection via a Transit Virtual Interface (VIF) and Transit Gateway in the Network Account.

The primary question raised by the customer is how to accomplish the deployment and configuration of the Palo Alto VM to achieve the desired traffic inspection goal. They seek guidance on the necessary steps and considerations to implement this solution effectively.

In summary, the customer's objective is to inspect outbound traffic from the VPCs associated with the Transit Gateway in different AWS accounts by deploying a Palo Alto VM, and they are seeking advice on how to proceed with this task.

Ali Md
feita há um ano807 visualizações
2 Respostas
0

Palo Alto has a good deployment guide to designing and configuring Palo Alto VM in AWS with the purpose of inspecting traffic passing from VPCs through a Transit Gateway.

Check their centralised design model.

In the centralised design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect.

The second half of the guide includes step-by-step instructions to configure the AWS infrastructure and Palo Alto itself.

AWS
Max
respondido há um ano
  • Thank You Max

  • Happy to help, Ali. If the response accurately and directly answers your question, please consider marking it as "accepted" to help other community members easily find information they are seeking.

-1
Resposta aceita

Here is the guide on how to accomplish that https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

If you're planning to deploy a single Palo Alto VM, then you can remove the GWLB.

The idea would be the spoke VPCs (PROD, TEST, DEV) would have a default route to the inspection VPC, and from the inspection VPC to the Palo Alto ENI, and then the NATGW.

profile pictureAWS
Matt_E
respondido há um ano
profile picture
ESPECIALISTA
avaliado há 3 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas