The repository consists of the templates that are required and detailed instructions on securing ingress VPC traffic using scalable security solutions (eg: Palo Alto) and AWS Transit Gateway.
- Create a S3 bucket with root folder structure as below.
-
Create a S3 bucket with root folder structure as below.
-
Modify the init-cfg.txt file with vm-auth-key and panorama-server information.
-
Upload the init-cfg.txt file to the /config folder on the S3 bucket.
-
Upload the AWS Lambda code Firewall template (panw-aws.zip) and Application template (ilb.zip) to the S3 bucket’s root folder as shown in above screenshot.
-
Firewall Template:
- Launch the stack using (firewall-template) template in the AWS CloudFormation console in the AWS account where you launch firewalls. The local copy of the template is also provided in this repository.
- Ensure that you select at least two availability zones.
- Enter the VM-Series-Firewall AMI ID. You need to subscribe to the produce (PAYG/BYOL). For this demonstration we are using ‘ami-056149984080d92af’ in us-west-2 region.
- Select the existing Key pair for the VMs from the drop down menu.
- Enter the CIDR to allow SSH into VMs. In this case it is 0.0.0.0/0
- Choose “Yes” for Enable debug log.
- Specify the name of the S3 bucket created earlier for bootstrapping firewall.
- Specify the S3 bucket containing panw-aws.zip file.
- The API-Key for firewall is configured with a default username and password. The “pandemo/demopassword” can be changed from Panorama.
- Enter the previously generated Panorama API key.
- Enter the Admin username for Panorama. (sample config username is ‘pandemo’)
- Enter the name of the Load balancer.
- Click next and launch the stack.
- Once complete, note the following parameters:
- AutoScaling group launched instances in each availability zone.
- Network load balancer SQS queue name
- Elastic load balancer DNS name
- Create a stack using (transit-gateway) in AWS Cloudformation console in firewall Account.
- Enter the transit gateway name.
- Enter the Organization ID that enables sharing of the Transit gateway with the spoke accounts.
Note: The above template creates transit gateway with two routing domains - DMZ VPC routing domain and the Spoke VPC routing domain.
a. In DMZ VPC
- Create a stack using (transit-gateway-attachment) in AWS Cloudformation console in the firewall account VPC.
- Provide the transit gateway ID created in step 2.
- Provide the trusted subnets of your DMZ VPC.
- Provide the Routing table ID associated to the trusted subnets.
- Provide the Spoke VPC CIDR to which you connect to (It is best to summarize the spoke VPCs CIDR here). This is to enable routing between DMZ VPC and Spoke VPCs.
- Click next and create.
Note: Routing tables of trusted subnets need to be updated with Spoke VPC CIDR as destination and Transit gateway as target
b. In Spoke VPC
- Create a stack again using (transit-gateway-attachment)in AWS Cloudformation console in Spoke account/VPC.
- Provide the Transit gateway ID created in step 2.
- Provide the internal subnets of your spoke VPC.
- Provide the DMZ VPC CIDR to which the spoke VPC need to connect to. This is to enable routing between a spoke VPC and DMZ VPC.
- Provide the Routing table ID associated to the spoke vpc subnets.
- Click next and create.
- Repeat the above steps in all Spoke VPCs
c. In DMZ account/VPC
- Create another stack using (transit-gateway-propagations) in AWS Cloudformation console in DMZ account/VPC.
- Provide the ID for the DMZ VPC.
- Provide the IDs for the Spoke VPCs.
- Provide the names for your Spoke VPCs in the same order as IDs for VPCs.
- Provide the TGW ID.
- Click next and create.
Note: Launching the above stack will create a custom resource and a lambda function which requires to be updated each time a new spoke is connected to the transit gateway.
- Launch the stack using (application-template) template in the AWS CloudFormation console in the spoke VPC account.
- Provide the template name. Here we are using Application-Template
- Select the existing Application Spoke VPC from the drop-down list for the VPCID.
- Select the number of availability zones and AZ from the list.
- Provide the CIDRs for trust subnets from application VPC.
- For ILBSubnets, select the Subnets from Application Spoke VPC that need to be associated with Internal Load Balancer (Enter Subnet IDs).
- Give the name for Internal Application Load Balancer.
- Under the Lambda section, enter the S3 bucket name containing Lambda zip file (‘ilb.zip’).
- Enter the SQS Queue URL copied from output of the Firewall stack.
- Select the key value pair from the list.
- Enter the CIDR to allow SSH into VMs. In this case it is 0.0.0.0/0
- Under the VPC Connectivity section, enter the total number of AZs for the DMZ VPC.
- Enter the trust subnet CIDRs from DMZ VPC.
- If Cross account:
- Select False for ‘Same Account Deployment’.
- Enter the Cross-Account Role ARN.
- Enter the AWS Account ID for DMZ VPC.
- Create a stack using (alb-rules) in AWS Cloudformation console in the DMZ account VPC.
- Enter the DMZ VPC ID.
- Enter the DNS name for the application.
- Enter the Public LoadBanlancer Listener ARN which was launched with the Firewall template.
- Enter the port number unique for the application. This should be same as VM NAT policy configuration rule added by the Application template.
- Provide the name for your new Target Group.
- Once the template launch completes, navigate to the AWS AutoScaling service console.
- Click on the AutoScaling group launched by the Firewall Template.
- In the ‘Details’ section, look for ‘Load balancing’ and then Click ‘Edit’.
- Select the newly created Target group under ‘Choose a target group for your load balancer’.
- Click ‘Update’.
- This should add the existing VM instances behind this target group.
- Modify the Health check path if required. Default is ‘/’.
-
Shiva Vaidyanathan - Senior Cloud Infrastructure Architect, AWS Professional Services
-
Mayuresh Joshi - Cloud Infrastructure Architect, AWS Professional Services
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.