Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:vmseries:aws_transit_gateway [2021/01/05 12:14] – [Spoke VPC to TGW] bstafford
+++ paloaltonetworks:vmseries:aws_transit_gateway [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 240: / Line 240: @@
 Peer Group – Create one peer group on each firewall virtual router
   * Name: pg-aws-tgw.
+  * Enabled : True
+  * Aggregated Confed AS Path : True
+  * Soft Reset With Stored Info : False
   * Type: eBGPG.
   * Import Next Hop: Use Peer
   * Export Next Hop : Use Self
+  * Remove Private AS : No
-When configuring the BGP Peering, we will create a peer group for each peer. This is so that we can explicitly control what routes are imported from each peer. The peer group names should match the name of the peer, as set out in the tables below.
+On each firewall, configure two peers within the peer group. When configuring a peer, the "Connections Options" should be as follows:
-  * For each peer below, create a peer group with the same name. For each group, set
-  * Enabled - Yes
-  * Aggregated Confed AS Path - Yes
-  * Soft Reset With Store Info - No
-  * Type - EBGP
-  * Import Next Hop - Original
-  * Export Next Hop - Resolve
-  * Remove Private AS – No
-When configuring a peer, the "Connections Options" should be as follows:
   * Auth Profile: None (not supported on AWS)
   * Keep Alive Interval (Sec) : 10
@@ Line 265: / Line 259: @@
 Redistribution: Create a redistribution profile to redistribute Static routes. Mark the "Set Origin" as incomplete. The only static route should be the default route.
-We need two export rules to the same peer group. The default is done without any path pre-pending. The internal routes are prepended on the secondary firewall. The secondary firewall uses BGP prepending to make sure the neighbouring VPCs prefer the primary firewall for routing. In the PAN-OS GUI, this is set this under <code>Virtual Router->BGP->Export->(For each entry)->Action->AS Path->Type = Prepend. Value = 1</code>
+We have one import rule that is used by the peer group. Set action to allow and list the specific prefixes. 10.0.0.0/16, 10.1.0.0/16, 10.10.0.0/16, 10.20.0.0/16 and 10.0.0.0/12. No need to say that it has to be an exact match.
+We need two export rules where both are to the same peer group. The default is done without any path pre-pending. That rule exports the default route and the public subnet route. Note that both firewalls will need to be unique. Firewall 1's first rule will export 0.0.0.0/0 and 10.0.11.0/24 while firewall 2's first rule will export 0.0.0.0/0 and 10.0.21.0/24. This ensures that the spokes can connect to the correct public subnets where needed.
+The second export rule exports 10.0.0.0/8. The internal routes are prepended on the secondary firewall. The secondary firewall uses BGP prepending to make sure the neighbouring VPCs prefer the primary firewall for routing. In the PAN-OS GUI, this is set this under <code>Virtual Router->BGP->Export->(For each entry)->Action->AS Path->Type = Prepend. Value = 1</code>
 ===== Create Spoke VPCs =====
@@ Line 301: / Line 299: @@
 The Spoke VPCs are attached to a separate route table so you can select which routes are propagated to them to control east/west traffic flow. If you are not doing east-west security, you could use one transit gateway route table.
-This means that spoke1 and spoke2 VPCs are "attached" to the lab-rt-tgw-spoke route table and teh security VPC is "attached" to the lab-rt-tgw-security" route table. The Firewall VPNS are also attached to the lab-rt-tgw-security route table.
+This means that spoke1 and spoke2 VPCs are "attached" to the lab-rt-tgw-spoke route table and the security VPC is "attached" to the lab-rt-tgw-security" route table. The Firewall VPN tunnels are also attached to the lab-rt-tgw-security route table.