>
    Configure the AWS Transit Gateway Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. AWS Transit Gateway CloudBlade Integration
    4. Configure the AWS Transit Gateway Integration
    Download PDF
    Prisma SD-WAN

    Configure the AWS Transit Gateway Integration

    Table of Contents

    Configure the AWS Transit Gateway Integration

    Learn how to configure the AWS transit gateway cloudBlade and Prisma SD-WAN
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma SD-WAN license
    • AWS Transit Gateway CloudBlade
    To configure the AWS Transit Gateway Integration CloudBlade, retrieve the following information from your AWS account:
    1. Generate AWS Access key ID and secret access key.
    2. The AWS Transit Gateway CloudBlade adds a CIDR block in one of the fields. Ensure that the CIDR block does not overlap with the VPC CIDR.

    Configure and Install the AWS Transit Gateway Integration CloudBlade

    1. Go to Strata Cloud ManagerManagePrisma SD-WANCloudBlades.
    2. Locate the AWS Transit Gateway CloudBlade and click Configure.
      If this CloudBlade does not appear in the list, contact the Palo Alto Support team.
    3. Provide the AWS Access Key ID and the Access Key ID Secret retrieved from the previous step.
    4. Provide the Transit Gateway ID in the format Region:TGW-ID.
      Only one region must be mapped to one TGW ID. Multiple TGW entries can be populated in a comma separated format.
    5. Provide a VPC CIDR block in the format <AWS Region:VPC_CIDR> for region based CIDRs and <CIDR> for global CIDRs for all regions in the TGW field.
      The VPC CIDR block must have a subnet mask between /16 and /26. Four distinct subnets are carved out for the public and private subnets on each vION. This should be in the RFC 1918 address space. The same VPC CIDR is reused on all regions in multi-region deployments.
    6. Provide the TGW GRE CIDR Block in the format <AWS Region:GRE_CIDR> for region based CIDRs and <CIDR> for global CIDRs for all regions in the TGW field.
      The TGW GRE Tunnel CIDR block must not overlap the VPC CIDR block. The GRE CIDR block can have any one of the following subnet masks /8, /16, or /24. The same VPC CIDR is reused on all regions in multi-region deployments.
    7. Provide the BGP Peer IP Address CIDR in the format <AWS Region:BGP_CIDR> for region based CIDRs or <CIDR> for global CIDRs for all regions in the TGW field. Allocate a /29 IP subnet for the GRE tunnel interface on both the ends.
      This address block can also be used for establishing core peering from both the Data Center virtual IONs with the Transit Gateway’s connect peers. The CIDR block has to be in the “169.254.x.x/29” subnet as required by AWS. Only one /29 prefix is needed, the CloudBlade uses this as a base and increments as many /29 subnets required based on the number of regions deployed.
      Ensure at least 2 licenses are available to deploy both v7108 IONs, for each region you wish to deploy the Data Center site.
    8. Select Install once all fields in the CloudBlade configuration is populated.

    © 2025 Palo Alto Networks, Inc. All rights reserved.