When configuring PAN-OS, keep the following in mind.

RFC3927/RFC5735 specifies 169.254.0.0/16 as a link local range to be used for connectivity links. This makes it ideal for HA connections.

RFC 5735 lists special use cases.

However, do not use 169.254.1.0/24 as PAN-OS management plane uses that internally.

e.g.

• 169.254.11.0/30 - HA1 * 169.254.11.4/30 - HA1 Backup
• 169.254.11.8/30 - HA2 * 169.254.11.12/30 - HA2 Backup

Also remember, the following range is reserved for shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT.

• 100.64.0.0/10

More details here.

• 169.254.169.254 Provides DNS

• 169.254.169.254 Provides vairous meta data
• 169.254.169.253 Provides DNS
• 169.254.169.123 provides a Stratum-3 NTP time source

You cannot assign the following CIDR blocks to an interface, because they are reserved for AWS system use:

• 169.254.0.0/30
• 169.254.1.0/30
• 169.254.2.0/30
• 169.254.3.0/30
• 169.254.4.0/30
• 169.254.5.0/30
• 169.254.169.252/30

You must begin with the 169.254.x.4/30 range.

Also, you will find that for any subnet in AWS, if you take the subnet identifier and increase the number by two, the resulting IP will be a DNS resolver available in that subnet.

In AWS, Network ACLs do not provide control of traffic to Amazon reserved addresses (first four addresses of a subnet) nor of link local networks (169.254.0.0/16), which are used for VPN tunnels.