Deploying Palo Alto VM to Inspect Outbound Traffic from VPCs Associated with TGW in Different AWS Accounts

0

The customer has a specific requirement to inspect all outbound traffic from the VPCs (PROD, TEST, DEV) associated with the Transit Gateway (TGW) across different AWS accounts. To fulfill this need, they intend to deploy a Palo Alto Virtual Machine (VM) for traffic inspection purposes.

The existing setup involves a Direct Connect connection via a Transit Virtual Interface (VIF) and Transit Gateway in the Network Account.

The primary question raised by the customer is how to accomplish the deployment and configuration of the Palo Alto VM to achieve the desired traffic inspection goal. They seek guidance on the necessary steps and considerations to implement this solution effectively.

In summary, the customer's objective is to inspect outbound traffic from the VPCs associated with the Transit Gateway in different AWS accounts by deploying a Palo Alto VM, and they are seeking advice on how to proceed with this task.

Ali Md
已提問 1 年前檢視次數 814 次
2 個答案
0

Palo Alto has a good deployment guide to designing and configuring Palo Alto VM in AWS with the purpose of inspecting traffic passing from VPCs through a Transit Gateway.

Check their centralised design model.

In the centralised design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect.

The second half of the guide includes step-by-step instructions to configure the AWS infrastructure and Palo Alto itself.

AWS
Max
已回答 1 年前
  • Thank You Max

  • Happy to help, Ali. If the response accurately and directly answers your question, please consider marking it as "accepted" to help other community members easily find information they are seeking.

-1
已接受的答案

Here is the guide on how to accomplish that https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

If you're planning to deploy a single Palo Alto VM, then you can remove the GWLB.

The idea would be the spoke VPCs (PROD, TEST, DEV) would have a default route to the inspection VPC, and from the inspection VPC to the Palo Alto ENI, and then the NATGW.

profile pictureAWS
Matt_E
已回答 1 年前
profile picture
專家
已審閱 3 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南