Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts

0

The customer has a specific requirement to inspect all outbound traffic from the VPCs (PROD, TEST, DEV) associated with the Transit Gateway (TGW) across different AWS accounts. To fulfill this need, they intend to deploy a Palo Alto Virtual Machine (VM) for traffic inspection purposes.

The existing setup involves a Direct Connect connection via a Transit Virtual Interface (VIF) and Transit Gateway in the Network Account.

The primary question raised by the customer is how to accomplish the deployment and configuration of the Palo Alto VM to achieve the desired traffic inspection goal. They seek guidance on the necessary steps and considerations to implement this solution effectively.

In summary, the customer's objective is to inspect outbound traffic from the VPCs associated with the Transit Gateway in different AWS accounts by deploying a Palo Alto VM, and they are seeking advice on how to proceed with this task.

Ali Md
已提问 1 年前807 查看次数
2 回答
0

Palo Alto has a good deployment guide to designing and configuring Palo Alto VM in AWS with the purpose of inspecting traffic passing from VPCs through a Transit Gateway.

Check their centralised design model.

In the centralised design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect.

The second half of the guide includes step-by-step instructions to configure the AWS infrastructure and Palo Alto itself.

AWS
Max
已回答 1 年前
  • Thank You Max

  • Happy to help, Ali. If the response accurately and directly answers your question, please consider marking it as "accepted" to help other community members easily find information they are seeking.

-1
已接受的回答

Here is the guide on how to accomplish that https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

If you're planning to deploy a single Palo Alto VM, then you can remove the GWLB.

The idea would be the spoke VPCs (PROD, TEST, DEV) would have a default route to the inspection VPC, and from the inspection VPC to the Palo Alto ENI, and then the NATGW.

profile pictureAWS
Matt_E
已回答 1 年前
profile picture
专家
已审核 3 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则