Associate a VPC Endpoint with a VM-Series Interface

You can associate one or more VPC endpoints with an interface or subinterface of the VM-Series firewall. You can provide consistent policy enforcement by associating all the endpoints in a single VPC to the same subinterface on the firewall. Or, if your deployment has VPCs with overlapping IP address, you can associate endpoints in different VPCs with different subinterfaces for differentiated policy enforcement.
Associating a VPC to an interface or subinterface is not mandatory to integrate the VM-Series firewall with a GWLB.
aws-gwlb-vpc-interface-association.png
You can configure interfaces and associate a VPC with firewall interfaces using the following methods:
  • Include the interface configuration in your
    bootstrap.xml
    file and the association commands as part of the
    init-cfg.txt
    file or AWS user-data.
  • After deploying the firewall, manually configure your interfaces and use the firewall CLI to associate your VPCs with interfaces.
You can associate multiple VPC endpoints to a single interface on the VM-Series firewall. However, you must associate each VPC endpoint individually. For example, to associate VPC endpoint 1 and VPC endpoint 2 with subinterface ethernet1/1.2, you must execute the association command separately for each VPC endpoint.
The table below describes the commands used to associate a VPC with an interface. You can include the operation command in your
init-cfg.txt
file or in the AWS user-data.
Bootstrap Parameter
CLI Command
Description
plugin-op-commands=
aws-gwlb-associate-vpce:<vpce-id>@ethernet<subinterface>
request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>
Associates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>
Disassociates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
show plugins vm_series aws gwlb
Displays the operating state of the firewall as it relates to your GWLB deployment. It does not display the firewall configuration.
For example, if you configure an association to an interface that does not exist, that association is configured but not part of the operating state. Therefore, it is not displayed.
When associating a VPC endpoint using the bootstrapping init-cfg.txt file or AWS user-date, you can list multiple interfaces or subinterfaces together. All the commands must be on a single line in a comma-separated list with no spaces as shown in the following example.
plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-associate-vpce=vpce-075dafeb3541c26df@ethernet1/1.1,aws-gwlb-associate-vpce=vpce-03bc58a63edb7d4ca@ethernet1/1.1,aws-gwlb-associate-vpce=vpce-04fd63ec56d2ae4b3@ethernet1/1.3,aws-gwlb-associate-vpce=vpce-036fde94ea24bfbc2@ethernet1/1.3
If you are using subinterfaces to separate traffic, create a subinterface for each VPC and associate it to a VPC.
  1. Configure the subinterface.
    1. Log in to the firewall web interface.
    2. Select
      Network
      Interface
      .
    3. Highlight
      ethernet1/1
      and click
      Add Subinterface
      .
    4. Enter a numerical suffix (1 to 9,999) to identify the subinterface.
    5. Enter a
      VLAN Tag
      (1 to 4,094) for the subinterface. This field is required but the VLAN is not used.
    6. Select a
      Virtual Router
      .
    7. Select a
      Security Zone
      .
    8. On the
      IPv4
      tab, set the
      Type
      to
      DHCP Client
      .
    9. Click
      OK
      .
    10. Repeat this command for each VPC endpoint.
      aws-agw-add-subinterface.png
  2. Associate the interface with a VPC endpoint.
    1. Log in to the firewall CLI.
    2. Execute the following command:
      request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>
      For example:
      request plugins vm_series aws gwlb associate vpc-endpoint vpce-02c4e6g8ha97h7e39 interface ethernet1/1.4
      You can locate the VPC endpoint ID in the AWS console.
    3. Repeat this command for each interface and VPC endpoint association.
  3. Verify your interface to VPC endpoint associations.
    show plugins vm_series aws gwlb
    GWLB enabled: True Overlay Routing: False ------------------------------------------------------------- VPC endpoint Interface -------------------------------------------------------------- vpce-0aeb1a919bd4ae609 ethernet1/1.1 vpce-0294375bfe413f04a ethernet1/1.2
  4. If necessary, you can use the following command to disassociate a VPC endpoint from a interface.
    request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>

Recommended For You