When configuring PAN-OS, keep the following in mind.
RFC3927/RFC5735 specifies 169.254.0.0/16 as a link local range to be used for connectivity links. This makes it ideal for HA connections.
RFC5735 lists special use cases. 198.18.0.0
RFC6598 specifies 100.64.0.0/10
However, do not use 169.254.1.0/24 as PAN-OS management plane uses that internally.
e.g.
169.254.11.0/30 - HA1
* 169.254.11.4/30 - HA1 Backup169.254.11.8/30 - HA2
* 169.254.11.12/30 - HA2 BackupAlso remember, the following range is reserved for shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT.
Also,
More details here.
169.254.169.254 Provides DNS169.254.169.254 Provides vairous meta data169.254.169.253 Provides DNS169.254.169.123 provides a Stratum-3 NTP time sourceYou cannot assign the following CIDR blocks to an interface, because they are reserved for AWS system use:
169.254.0.0/30169.254.1.0/30169.254.2.0/30169.254.3.0/30169.254.4.0/30169.254.5.0/30169.254.169.252/30
You must begin with the 169.254.x.4/30 range.
Also, you will find that for any subnet in AWS, if you take the subnet identifier and increase the number by two, the resulting IP will be a DNS resolver available in that subnet.
In AWS, Network ACLs do not provide control of traffic to Amazon reserved addresses (first four addresses of a subnet) nor of link local networks (169.254.0.0/16), which are used for VPN tunnels.