Prisma Access
Onboard an AWS Virtual Private Cloud
Table of Contents
Onboard an AWS Virtual Private Cloud
Onboard an AWS VPC to Prisma Access and secure access
as a remote network.
Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
When your organization deploys workloads as
AWS EC2 instances and you need to secure access to these workloads,
you create internet key exchange (IKE) and IPSec profiles and then
onboard the AWS virtual private cloud (VPC) as a remote network to Prisma
Access. The remote network connection secures the workloads deployed
in the VPC and ensures that your mobile users and remote networks
have secure access to these workloads.
You can use static route, default route,
or BGP routing to onboard
the AWS VPC with Prisma Access. The following diagram shows a sample
VPC with static routing and two VPN connections, one primary and
one backup. The IP addresses in this diagram are used in the static routing
configuration examples.
The
following tasks show how to secure an AWS VPC with Prisma Access, including
how to deploy a VPN gateway and establish an IPSec VPN tunnel between the
AWS VPC and Prisma Access:
Begin Configuration of the VPN in Panorama
To onboard the AWS VPC, you need to enable
secure communication between the AWS VPC and Prisma Access using
a VPN gateway (VGW). The following workflow begins the configuration
of the VPN tunnel.
AWS requires a static, routable IP address before you can configure the customer gateway in AWS.
Therefore, you must first create configuration on the Prisma Access side of the
connection to retrieve the
Service IP Address
for the
remote network connection and enter that information in AWS when you configure the
VPN connection in AWS. The initial Prisma Access configuration
requires that you set placeholder values in Panorama for the IKE gateway and
tunnel monitor values. After you configure the VPC in AWS, you then complete the
Prisma Access configuration in Panorama by changing the placeholder
values you specified.Start this process by defining a dynamic
IPSec tunnel in Prisma Access.
- In Panorama, selectRemote_Network_Templatefrom theTemplatedrop-down.
- Select andAddan IKE crypto profile for the gateway.These settings must match the settings you configure on AWS. To change the AWS settings, see the AWS documentation.The following sample configuration uses these settings:
- DH Group:group2
- Encryption:aes-128-cbc
- Authentication:sha1
- Key Lifetime:8 Hours
- Select andAddan IPSec crypto profile for the IPSec tunnel configuration.These settings must match the settings you configure on AWS. To change the AWS settings, see the AWS documentation.The following sample configuration uses these settings:
- IPSec Protocol:ESP
- DH Group:group2
- Lifetime:1 Hour
- Encryption:aes-128-cbc
- Authentication:sha1
- Select andAddan IKE gateway for each AWS primary and secondary VPN connection.Specify the following IKE gateway parameters:
- ForPeer IP Address Type, selectDynamic.This setting is temporary. When you set up the IPSec tunnel in Prisma Access, you change the peer type to static (IP) and add an IP address.
- Configure aPre-shared key.Make a note of this key. You use it when you configure the AWS VPN connection.
- Enter a placeholder value in theLocal IdentificationandPeer Identificationfields.This value is temporary; you remove it when you complete the configuration in Prisma Access after you configure the AWS VPC.
- SelectAdvanced Optionsand specify the IKE crypto profile that you created in Step 2.
- Select andAddan IPSec tunnel for the AWS primary and secondary VPN connection.Specify the following tunnel parameters:
- Specify theIKE gatewayandIPSec Crypto Profilethat you created earlier in this task.
- SelectTunnel Monitorand specify a placeholder IP address.This IP address setting is temporary. After you configure the VPN gateway in AWS, you change this value when you complete the configuration in Prisma Access.
- Select andAdda tunnel monitor profile for the AWS VPN tunnels that lets trafficFail Overto the other tunnel in case of a tunnel failure.
- Select andAddthe AWS VPC as a remote network.Specify the following values:
- Select aLocationthat is closest to your AWS VPC.
- Select aBandwidthbased on the amount of traffic that Prisma Access can receive from the AWS VPC.
- Specify the IPSec primary tunnel that you created in Step 5 in theIPSec Tunnelfield.
- Specify either static or BGP routing.
- To configure static routing, click theStatic Routestab, then enter theBranch IP Subnetsthat correspond to the specific or summary subnets of your AWS VPC.If you created a backup tunnel (secondary WAN), selectEnable Secondary WANand specify the secondary IPSec tunnel that you created in Step 5.
- To configure BGP routing, click theBGPtab,EnableBGP, then enter aPeer ASand placeholder values for thePeer AddressandLocal Addressin thePrimary WANarea.If you created a backup tunnel (Secondary WAN), selectEnable Secondary WANand specify the secondary IPSec tunnel that you created in Step 5; then, deselectSame as Primary WANand enter placeholder values for thePeer AddressandLocal Addressin theSecondary WANarea.ThePeer AddressandLocal Addressyou specify are temporary values. After you configure additional settings on AWS, you change these addresses when you complete the configuration in Prisma Access.Make a note of thePeer AS, this number must match the one you enter when you Configure Routing in AWS; alternatively, use the default autonomous system (AS) number used by AWS, which is64512.
- Commit your changes to Panorama and push the configuration changes to Prisma Access.
- Click .
- Click and clickEdit Selections.
- On the Prisma Access tab, make sure you selectPrisma Access for service setupand then clickOK.
- Wait until Prisma Access adds the AWS VPC as a remote network.This process takes a few minutes. Select to view the remote network status.
- Make a note of theService IP Addressthat displays in the Network Details area. This service IP address is a public, routable IP address and you use it as the customer gateway IP address when you configure the VPC on AWS.
- Continue to the next task to configure the VPN connection on AWS.
Configure the AWS VPN Connection
After you configure the VPN tunnel in Prisma
Access, you begin the tunnel configuration on AWS by creating a
customer gateway, a virtual private gateway, and a VPN connection.
From
the AWS perspective, you configure the Prisma Access side of the
VPC as a customer gateway, and configure the AWS side as a VGW.
For more information about AWS configuration, see the AWS documentation
- Log in to the AWS console and make sure that the AWS VPC is configured in the AWS region that you specified for the tunnels in Prisma Access.The following examples use the default VPC.
- Create a customer gateway.
- Open the Amazon VPC console.
- Select .
- ClickCreate Customer Gateway.
- Enter the following information in the screen that displays.
- Enter aNamefor the customer gateway.Use a meaningful name such asprisma-access-gateway.
- Configure either static or BGP routing.
- To configure static routing, clickStaticin theRoutingarea, then copy the IP address from theService IP Addressfield in Prisma Access in Step 10 and paste that address into theIP Addressfield on AWS.
- To configure dynamic routing, clickDynamic (requires BGP).
- ClickCreate Customer Gateway.
AWS displays a notification that the customer gateway was created.Make a note of theCustomer Gateway ID; you use this value when you create the VPN connection in a later step.
- Create a virtual private gateway and attach it to the VPC.A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. See the AWS documentation for more information.
- In the VPC console, select .
- ClickCreate Virtual Private Gateway.
- Enter aName tagfor the virtual private gateway.
- ClickCreate Virtual Private Gateway.
- Right-click the gateway name to open the context menu and selectAttach to VPC.
- —Select eitherBGP routing deployments onlyAmazon Default ASN, or selectCustom ASNand enter an ASN.The default ASN for Amazon is 64512. This default value must match thePeer ASyou specify for the remote network connection when you configure the VPN gateway in Prisma Access.
AWS displays a notification that the virtual private gateway was created.
- Enter the VPC ID.Use the existing VPC or a VPC that you created. This example uses the default VPC.
The AWS console shows the VPC with aStateofattached.
- Create a VPN connection.
- In the VPC console, select .
- ClickCreate VPN Connection.
- Enter the following information in the screen that displays:
- Enter aName tagfor the VPN connection.
- SelectExistingin theCustomer Gatewayarea and choose the name of the customer gateway you created in Step 2.
- Enter theCustomer Gateway IDof the customer gateway you created.
- Configure either a static connection or, if you use BGP, configure a dynamic connection.
- To configure a static connection, chooseStaticin theRouting Optionsarea and enter the static IP prefixes for all networks that require access from the AWS VPC through Prisma Access in theIP Prefixesarea.Optionally, enter a default route (0.0.0.0/0) to allow access to all routes from the AWS VPC to Prisma Access.These entries include any IP subnets that Prisma Access uses for remote network connections or service connections or that require access to the VPC.
- To configure a connection that uses BGP, chooseDynamic (requires BGP).
- In theTunnel Optionsarea, specify the following tunnel options:
- Enter a /30 CIDR block from the 169.254.0.0/16 subnet for the inside tunnel IP address.If you do not provide a subnet, AWS automatically provides a /30 CIDR block from the 169.254.0.0/16 subnet.
- Enter the IKE pre-shared key (PSK).Use the same IKE PSKs that you used when you configured the IKE gateway in Prisma Access.
- ClickYes, then clickCreate.
- Verify that the VPN is available to complete the Prisma Access connection.
- Click the name of the VPN you just created and click theDetailstab.TheStatusshould show asavailable.
- Click theTunnel Detailstab.Two outside public IP addresses (one for the primary and one for the secondary IPSec tunnel) and two inside IP CIDR subnets display in the fields.AStatusofDownis normal, because you have not yet configured Prisma Access with the outside IP addresses.
- Make a note of the addresses that display in theOutside IP Addressfield and the subnet that displays in theInside IP CIDRfield.You use these addresses when you set up the IPSec tunnel in Prisma Access.
- Continue to configure the routing on AWS to configure either default, static, or dynamic routing for the VPN connection.
Configure Routing in AWS
You can use one of two methods to configure
routing on AWS:
- If you configured static routing, use one of the following methods to configure routing on AWS:
- Create static routes to reach the service connection and remote network subnets for Prisma Access over the VPN connection. We recommend using static routes if you want to keep using existing routes to the internet or other corporate resources.VPC traffic to destinations that are not defined by new static routes are not protected by Prisma Access. To secure all traffic, create a default route.
- Create a default route that routes all traffic over the VPN tunnel to Prisma Access. Creating a default route ensures that Prisma Access secures all traffic including internet traffic.Using a VPN gateway as the default route might result in loss of connectivity to other VPC instances over the internet. Make sure that you have another method (for example, a bastion host) in place to connect to other VPC instances.
- Configure BGP routing by configuring dynamic routing in AWS.
Create Static Routes for the VPN Connection
To create static routes for the VPN connection,
complete the following steps:
- In Panorama, find theStatic Subnetsused in Prisma Access for your remote network connection.To find the subnets, select .
- In AWS, select the VPN connection you created in Step 4 and click theStatic routestab.
- ClickEditand add the static routes asIP prefixesfor your remote network connection.
- ClickAdd Another Routeand add the static routes for the subnets in the AWS VPN connection and VPC route tables, then clickSave.
- Verify that theStateof the route isavailable.
- Select .
- ClickEditand add a new route to the route table.
- Choose the VPN Gateway you created as aTargetto reach the IP address subnet allocated for your headquarters or branch office.
Create a Default Route for the VPN Connection
To create a default route for the VPN connection,
complete the following steps.
Using
a VPN gateway as the default route might result in loss of connectivity
to other VPC instances over the internet. Make sure that you have another
method (for example, a bastion host) in place to connect to other
VPC instances.
- Select .
- Provide a name for the table and clickYes, Create.
- Create a default route to the VPC subnet by clickingRoutesand adding the default route. Specify theTargetusing theIDof the virtual private gateway you created Step 3.
- Associate the VPC subnet to the route table you created.
- Add the default route you created to the new route table.
Create Dynamic Routing for the VPN Connection
To create dynamic routing for the VPN connection, complete
the following steps:
- Select the VPN connection you created in Step 4 and click theStatic routestab.
- Find the subnets used in Prisma Access for your remote network connection.To find the subnets, select .
- ClickEditand add the static routes asIP prefixesfor your remote network connection.
- ClickAdd Another Routeand add the static routes for the subnets in the AWS VPN connection and VPC route tables, then clickSave.
- Verify that theStateof the route isavailable.
- Select .
- ClickEditand add a new route to the route table.
- Choose the VPN Gateway you created as aTargetto reach the IP address subnet allocated for your headquarters or branch office.
- Enable route propagation by selecting theRoute Propagationtab, clickingEdit Route Propagation, and changingPropagatetoYes.
Complete Configuration of the IPSec Tunnel in Prisma Access
To finish the configuration of the IPSec tunnel
in Prisma Access, perform following steps in Panorama.
- Make sure that you have configured security policies between the AWS VPC and the service connection to allow communication between AWS VPC and the HQ/data center location.
- In Panorama, select .
- Select the IKE gateway that is used for the primary IPSec tunnel.
- Change thePeer IP Address TypefromDynamictoIP.
- Enter thePeer Address, specifying the firstOutside IP Addressthat displayed in theTunnel Detailstab of AWS in Step 5.c.
- Change theLocal IdentificationandPeer Identificationvalues toNoneand clickOK.
- Select and open the primary IPSec tunnel.
- Select theTunnel Monitorcheck box and enter theDestination IPaddress, specifying the first host of the firstInside IP CIDRsubnet that displayed in theTunnel Detailstab of AWS in Step 5.c; then, clickOK.For example, if the first Inside IP CIDR address subnet is 169.254.20.8/30, specify a destination IP address of 169.254.20.9.
- —Select , select theBGP routing deployments onlyBGPtab, then change the following values:
- Change thePeer Addressto the first host of the firstInside IP CIDRsubnet that displayed in theTunnel Detailstab of AWS in Step 5.c.
- Change theLocal Addressto the last host of the second Inside IP CIDR subnet that displayed in the Tunnel Details tab of AWS.For example, if the second Inside IP CIDR address subnet is 169.254.20.12/30, specify a destination IP address of 169.254.20.14.
- If you specified a backup tunnel (secondary WAN), change thePeer Addressto the last host of the firstInside IP CIDRsubnet that displayed in theTunnel Detailstab of AWS in Step 5.c, and change theLocal Addressto the last host of the second Inside IP CIDR subnet that displayed in the Tunnel Details tab of AWS.
- CommitandPushthe configuration.
Verify Connectivity Between the AWS VPC and Prisma Access
Verify that the IPSec tunnel is up and that
your workloads in the AWS VPC are accessible to the remote networks
and mobile users who use Prisma Access by completing the following
task.
- 1. Check the IPSec tunnel status on Panorama and on the AWS management console.
- In Panorama, select .
- ClickRemote Networks.The status should show asOKandIn sync.
- On the AWS management console, selectVPN connection.The status should show asUP.
Troubleshoot VPN Connection Issues
Use the procedures in this section to troubleshoot
any issues you have with tunnel creation.
- To troubleshoot the site-to-site connection in Prisma Access, log in to Panorama and select , then enter(subtype eq vpn)in theFilterfield to view messages related to VPN tunnel creation.
- To troubleshoot the site-to-site connection in AWS, log in to AWS. If the AWS does not have a status ofUPafter you configure it, double-check the IKE and IPSec parameters you configured in Prisma Access and make sure that they match the VPN configuration on AWS. To download the configuration on AWS, select the VPN connection you created and clickDownload Configuration.
