AWS and

Prisma SD-WAN

CloudBlade Prerequisites

An active
Prisma SD-WAN
subscription with sufficient licenses to install at least 2 x v7108 IONs, per region.

An AWS account with permissions to create, update, and delete CloudFormation templates (CFT) and associated VPC resources.
The following JSON file can used to create an IAM policy to give the appropriate permissions used by the CloudBlade. This can then be assigned to the user/role that has programmatic access.
To import this file in the AWS console navigate to
IAM
Policies
Create Policy
JSON
and paste the complete JSON below.
{  
					"Version": "2012-10-17",  
					"Statement": [    
						{      
							"Sid": "VisualEditor0",      
							"Effect": "Allow",      
							"Action": [        
								"cloudformation:SetStackPolicy",        
								"cloudformation:CreateStack",        
								"cloudformation:DescribeStackResources",        
								"cloudformation:DescribeStacks",        
								"cloudformation:DeleteStack",        
								"cloudformation:SetStackPolicy",        
								"cloudformation:CreateStack",        
								"cloudformation:DeleteStack",        
								"cloudformation:DescribeStackResources",        
								"cloudformation:DescribeStacks",        
								"cloudformation:SetStackPolicy",        
								"cloudformation:CreateStack",        
								"cloudformation:DeleteStack",        
								"cloudformation:DescribeStackResources",        
								"cloudformation:DescribeStacks",        
								"cloudformation:SetStackPolicy",        
								"cloudformation:CreateStack",        
								"cloudformation:DeleteStack",        
								"cloudformation:DescribeStackResources",        
								"cloudformation:DescribeStacks",        
								"ec2:DeleteTransitGatewayConnectPeer",        
								"ec2:CreateTransitGatewayConnect",        
								"ec2:CreateNatGateway",        
								"ec2:CreateTags",        
								"ec2:CreateVpc",        
								"ec2:ModifyTransitGateway",        
								"ec2:CreateTransitGatewayConnectPeer",        
								"ec2:CreateTransitGatewayVpcAttachment",        
								"ec2:DeleteTransitGatewayVpcAttachment",        
								"ec2:CreateRoute",        
								"ec2:DeleteTransitGatewayConnect",        
								"ec2:DeleteNatGateway",        
								"ec2:AuthorizeSecurityGroupIngress",        
								"ec2:DeleteSubnet",        
								"ec2:TerminateInstances",        
								"ec2:AttachVpnGateway",        
								"ec2:DeleteRoute",        
								"ec2:DeleteNetworkInterface",        
								"ec2:CreateRouteTable",        
								"ec2:RunInstances",        
								"ec2:AttachInternetGateway",        
								"ec2:DeleteRouteTable",        
								"ec2:RevokeSecurityGroupIngress",        
								"ec2:CreateNetworkInterface",        
								"ec2:CreateRoute",        
								"ec2:CreateSecurityGroup",        
								"ec2:CreateInternetGateway",        
								"ec2:DeleteSecurityGroup",        	
								"ec2:DeleteInternetGateway",        
								"ec2:CreateSubnet",        
								"ec2:DescribeAddresses",        
								"ec2:DescribeInstances",        
								"ec2:DescribeAvailabilityZones",        
								"ec2:DescribeVpcs",        
								"ec2:DescribeAccountAttributes",        
								"ec2:DescribeTransitGateways",        
								"ec2:DescribeNatGateways",        
								"ec2:DescribeTransitGatewayConnects",        
								"ec2:DescribeTransitGatewayVpcAttachments",        
								"ec2:DescribeTransitGatewayConnectPeers",        
								"ec2:DescribeSubnets",        
								"ec2:DescribeRouteTables",        
								"ec2:ReleaseAddress",        
								"ec2:DisassociateAddress",        
								"ec2:CreateTags",        
								"ec2:ModifyNetworkInterfaceAttribute",        
								"ec2:DetachInternetGateway",        
								"ec2:DisassociateRouteTable",        
								"ec2:DescribeSecurityGroups",        
								"ec2:AllocateAddress",        
								"ec2:AssociateRouteTable",        
								"ec2:DescribeInternetGateways",        
								"s3:GetObject",        
								"ec2:DescribeNetworkInterfaces",        
								"ec2:CreateInternetGateway",        
								"sts:DecodeAuthorizationMessage",        
								"ec2:ModifyVpcAttribute",        
								"ec2:DeleteVpc",        
								"ec2:AssociateAddress"      
							],      
							"Resource": "*"    
						}  
					]
				}
The AWS account must have sufficient permissions to generate AWS access keys.
An active AWS marketplace subscription to the
Prisma SD-WAN
ION Virtual Appliance.
In an upgrade scenario from version 2.0.0 to version 2.1.0 of the CloudBlade, existing deployments will not be impacted, however, any new deployments will require to subscribe to this marketplace.
The AWS account must have at least 2 Elastic IP addresses available per region for allocation.
An existing Transit Gateway in the regions where you wish to deploy a
Prisma SD-WAN
Data center.
The AWS Transit Gateway CloudBlade creates the transit gateway attachment between the
Prisma SD-WAN
VPC and the Transit Gateway. It also configures the BGP peering between the
Prisma SD-WAN
Data center IONs and the Transit Gateway.
Routing from the application VPCs to reach
Prisma SD-WAN
remote networks and the VPC attachment between Application VPCs and the Transit Gateway must be configured by the customer.