AWS and Prisma SD-WAN CloudBlade Prerequisites
Focus
Focus

AWS and Prisma SD-WAN CloudBlade Prerequisites

Table of Contents

AWS and Prisma SD-WAN CloudBlade Prerequisites

Lets learn more about the prerequisities used for AWS and Prisma SD-WAN CloudBlade.
Prisma SD-WAN:
  • An active Prisma SD-WAN subscription with sufficient licenses to install at least 2 x v7108 IONs, per region.
AWS:
  • An AWS account with permissions to create, update, and delete CloudFormation templates (CFT) and associated VPC resources.
    The following JSON file can used to create an IAM policy to give the appropriate permissions used by the CloudBlade. This can then be assigned to the user/role that has programmatic access.
    To import this file in the AWS console navigate to IAMPoliciesCreate PolicyJSON and paste the complete JSON below.
    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:SetStackPolicy", "cloudformation:CreateStack", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:DeleteStack", "cloudformation:SetStackPolicy", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackResources", "cloudformation:DescribeStacks", "ec2:DeleteTransitGatewayConnectPeer", "ec2:CreateTransitGatewayConnect", "ec2:CreateNatGateway", "ec2:CreateTags", "ec2:CreateVpc", "ec2:ModifyTransitGateway", "ec2:CreateTransitGatewayConnectPeer", "ec2:CreateTransitGatewayVpcAttachment", "ec2:DeleteTransitGatewayVpcAttachment", "ec2:CreateRoute", "ec2:DeleteTransitGatewayConnect", "ec2:DeleteNatGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:TerminateInstances", "ec2:AttachVpnGateway", "ec2:DeleteRoute", "ec2:DeleteNetworkInterface", "ec2:CreateRouteTable", "ec2:RunInstances", "ec2:AttachInternetGateway", "ec2:DeleteRouteTable", "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateInternetGateway", "ec2:DeleteSecurityGroup", "ec2:DeleteInternetGateway", "ec2:CreateSubnet", "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeTransitGateways", "ec2:DescribeNatGateways", "ec2:DescribeTransitGatewayConnects", "ec2:DescribeTransitGatewayVpcAttachments", "ec2:DescribeTransitGatewayConnectPeers", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:ReleaseAddress", "ec2:DisassociateAddress", "ec2:CreateTags", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:DescribeSecurityGroups", "ec2:AllocateAddress", "ec2:AssociateRouteTable", "ec2:DescribeInternetGateways", "s3:GetObject", "ec2:DescribeNetworkInterfaces", "ec2:CreateInternetGateway", "sts:DecodeAuthorizationMessage", "ec2:ModifyVpcAttribute", "ec2:DeleteVpc", "ec2:AssociateAddress" ], "Resource": "*" } ] }
  • The AWS account must have sufficient permissions to generate AWS access keys.
  • An active AWS marketplace subscription to the Prisma SD-WAN ION Virtual Appliance.
    In an upgrade scenario from version 2.0.0 to version 2.1.0 of the CloudBlade, existing deployments will not be impacted, however, any new deployments will require to subscribe to this marketplace.
  • The AWS account must have at least 2 Elastic IP addresses available per region for allocation.
  • An existing Transit Gateway in the regions where you wish to deploy a Prisma SD-WAN Data center.
    The AWS Transit Gateway CloudBlade creates the transit gateway attachment between the Prisma SD-WAN VPC and the Transit Gateway. It also configures the BGP peering between the Prisma SD-WAN Data center IONs and the Transit Gateway.
  • Routing from the application VPCs to reach Prisma SD-WAN remote networks and the VPC attachment between Application VPCs and the Transit Gateway must be configured by the customer.