====== RFC 1918 ======
When configuring PAN-OS, keep the following in mind.
 
RFC3927/RFC5735 specifies 169.254.0.0/16 as a link local range to be used for connectivity links. This makes it ideal for HA connections.

RFC5735 lists special use cases. 198.18.0.0

RFC6598 specifies 100.64.0.0/10

However, do not use ''169.254.1.0/24'' as PAN-OS management plane uses that internally.

e.g.
  * ''169.254.11.0/30 - HA1
  * ''169.254.11.4/30 - HA1 Backup
  * ''169.254.11.8/30 - HA2
  * ''169.254.11.12/30 - HA2 Backup

Also remember, the following range is reserved for shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT.
  * 100.64.0.0/10

Also,
  * 172.17.0.0/16 - Default subnet for docker and developers often do not change it.
  * 10.88.0.0/16 - Default network for podman.

More details [[https://en.wikipedia.org/wiki/Reserved_IP_addresses|here]].

===== GCP =====
  * ''169.254.169.254'' Provides DNS

===== AWS =====
  * ''169.254.169.254'' Provides vairous meta data
  * ''169.254.169.253'' Provides DNS
  * ''169.254.169.123'' provides a Stratum-3 NTP time source

You cannot assign the following CIDR blocks to an interface, because they are reserved for AWS
system use:
  * ''169.254.0.0/30''
  * ''169.254.1.0/30''
  * ''169.254.2.0/30''
  * ''169.254.3.0/30''
  * ''169.254.4.0/30''
  * ''169.254.5.0/30''
  * ''169.254.169.252/30''

You must begin with the ''169.254.x.4/30'' range.

Also, you will find that for any subnet in AWS, if you take the subnet identifier and increase the number by two, the resulting IP will be a DNS resolver available in that subnet.

In AWS, Network ACLs do not provide control of traffic to Amazon reserved addresses (first four addresses of a subnet) nor of link local networks (169.254.0.0/16), which are used for VPN tunnels.