AWS VPN
Deploying a VPN in AWS Peered with a Palo Alto On-Prem Firewall
Overview
This guide details how to deploy an AWS Site-to-Site VPN and peer it with a Palo Alto on-premises firewall. It includes VPN configuration using **AWS Console, CLI, and Terraform**, along with troubleshooting steps using AWS CLI.
Prerequisites
- **AWS Account** with permissions to create VPNs, VPCs, and Route Tables.
- **Palo Alto Networks Firewall** with public IP connectivity.
- **IPSec VPN configuration details** (e.g., Phase 1 & Phase 2 settings).
AWS Site-to-Site VPN Deployment
[ Manual Deployment: Using AWS Console ]
Step 1: Create a Virtual Private Gateway (VGW)
- Navigate to VPC > Virtual Private Gateways.
- Click Create Virtual Private Gateway.
- Provide a name and select Amazon Default ASN or specify your own.
- Click Create Virtual Private Gateway.
- Attach the VGW to your target VPC.
Step 2: Create a Customer Gateway (CGW)
- Navigate to VPC > Customer Gateways.
- Click Create Customer Gateway.
- Provide a name and enter the public IP of your Palo Alto firewall.
- Set the type to Static and enter the on-prem ASN if needed.
- Click Create Customer Gateway.
Step 3: Create a Site-to-Site VPN Connection
- Navigate to VPC > Site-to-Site VPN Connections.
- Click Create VPN Connection.
- Select the Virtual Private Gateway (VGW).
- Select the previously created Customer Gateway (CGW).
- Choose Static Routing or BGP.
- Click Create VPN Connection.
Step 4: Add VPN Routes
- Navigate to Route Tables.
- Select the appropriate route table.
- Click Edit Routes and add a route for the **on-prem network CIDR** pointing to the VGW.
Step 5: Download VPN Configuration for Palo Alto
- Go to Site-to-Site VPN Connections.
- Select the VPN Connection.
- Click Download Configuration.
- Choose Palo Alto Networks as the vendor.
- Apply the settings to your Palo Alto firewall.
[ Manual Deployment: Using AWS CLI ]
Step 1: Create Virtual Private Gateway
aws ec2 create-vpn-gateway --type "ipsec.1" aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-xxxxxxxx --vpc-id vpc-xxxxxxxx
Step 2: Create Customer Gateway
aws ec2 create-customer-gateway --type "ipsec.1" --public-ip "203.0.113.1" --bgp-asn 65000
Step 3: Create VPN Connection
aws ec2 create-vpn-connection --customer-gateway-id cgw-xxxxxxxx --vpn-gateway-id vgw-xxxxxxxx --type "ipsec.1"
Step 4: Add VPN Route to Route Table
aws ec2 create-route --route-table-id rtb-xxxxxxxx --destination-cidr-block 192.168.1.0/24 --gateway-id vgw-xxxxxxxx
[ Deployment Using Terraform ]
resource "aws_vpc" "vpn_vpc" {
cidr_block = "10.10.0.0/16"
tags = { Name = "VPN-VPC" }
}
resource "aws_vpn_gateway" "vgw" {
amazon_side_asn = 64512
tags = { Name = "VPN-VGW" }
}
resource "aws_vpn_gateway_attachment" "vgw_attach" {
vpc_id = aws_vpc.vpn_vpc.id
vpn_gateway_id = aws_vpn_gateway.vgw.id
}
resource "aws_customer_gateway" "cgw" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
tags = { Name = "OnPrem-CGW" }
}
resource "aws_vpn_connection" "vpn" {
vpn_gateway_id = aws_vpn_gateway.vgw.id
customer_gateway_id = aws_customer_gateway.cgw.id
type = "ipsec.1"
static_routes_only = true
tags = { Name = "AWS-Palo-VPN" }
}
resource "aws_route_table" "vpn_route_table" {
vpc_id = aws_vpc.vpn_vpc.id
route {
cidr_block = "192.168.1.0/24"
gateway_id = aws_vpn_gateway.vgw.id
}
tags = { Name = "VPN-Route-Table" }
}
Palo Alto Firewall Configuration
Phase 1 (IKE) Configuration
- IKE Version: IKEv1 or IKEv2
- Authentication: Pre-Shared Key (from AWS VPN config)
- Encryption: AES-256
- Hash: SHA-256
- DH Group: 14
- Lifetime: 28800 seconds
Phase 2 (IPSec) Configuration
- Protocol: ESP
- Encryption: AES-256
- Authentication: SHA-256
- PFS Group: 14
- Lifetime: 3600 seconds
Routes and NAT Considerations
- Ensure AWS VPC CIDR is included in the tunnel’s routing table.
- If NAT is enabled on Palo Alto, add proper NAT rules for VPN traffic.
- AWS static routes or BGP should reflect the on-prem network.
Troubleshooting AWS VPN Using AWS CLI
Check VPN Connection Status
aws ec2 describe-vpn-connections --vpn-connection-ids vpn-xxxxxxxx
- Look for `"State": "available"` in the output.
Check Tunnel Status
aws ec2 describe-vpn-connections --query "VpnConnections[].VgwTelemetry"
- Look for `"Status": "UP"` for each tunnel.
Check BGP Routes (If BGP is used)
aws ec2 describe-route-tables --filters "Name=association.vpc-id,Values=vpc-xxxxxxxx"
- Ensure VPN routes are present.
Check AWS Logs for VPN Issues
Enable VPN logging:
aws ec2 modify-vpn-connection-options --vpn-connection-id vpn-xxxxxxxx --enable-logging
Check CloudWatch Logs for VPN
If VPN logging is enabled:
aws logs describe-log-groups --query "logGroups[?contains(logGroupName, 'VPN')].logGroupName" aws logs get-log-events --log-group-name "/aws/vpn" --limit 10
Palo Alto Troubleshooting
Check IPSec Tunnel Status
On Palo Alto CLI:
show vpn ike-sa show vpn ipsec-sa
Debug VPN Traffic
Enable debug logs:
debug ike gateway gateway-name on debug tail follow yes mp-log ikemgr.log
Check NAT Rules (If Used)
Ensure proper NAT rules exist:
show running nat-policy
Check Firewall Logs
- Go to Palo Alto Web UI → Monitor → System Logs.
- Look for IKE phase failures or misconfigurations.
Common Issues and Fixes
| Issue | Cause | Resolution |
|---|---|---|
| AWS VPN tunnel is down | Incorrect IKE/IPSec settings on Palo Alto | Verify AWS VPN configuration download and ensure correct settings. |
| No traffic over VPN | Missing static routes or BGP misconfiguration | Ensure proper routes are added to AWS and Palo Alto. |
| Tunnel flaps | Mismatched IKE lifetime settings | Set identical IKE Phase 1 & 2 lifetimes on both sides. |
| Palo Alto shows IKE Phase 1 down | Incorrect pre-shared key | Re-enter the pre-shared key in Palo Alto. |