Associate a VPC Endpoint with a VM-Series Interface
You can associate one or more VPC endpoints with an interface or subinterface of the VM-Series firewall. You can provide consistent policy enforcement by associating all the endpoints in a single VPC to the same subinterface on the firewall. Or, if your deployment has VPCs with overlapping IP address, you can associate endpoints in different VPCs with different subinterfaces for differentiated policy enforcement.
Associating a VPC to an interface or subinterface is not mandatory to integrate the VM-Series firewall with a GWLB.
You can configure interfaces and associate a VPC with firewall interfaces using the following methods:
- Include the interface configuration in yourbootstrap.xmlfile and the association commands as part of theinit-cfg.txtfile or AWS user-data.
- After deploying the firewall, manually configure your interfaces and use the firewall CLI to associate your VPCs with interfaces.
You can associate multiple VPC endpoints to a single interface on the VM-Series firewall. However, you must associate each VPC endpoint individually. For example, to associate VPC endpoint 1 and VPC endpoint 2 with subinterface ethernet1/1.2, you must execute the association command separately for each VPC endpoint.
The table below describes the commands used to associate a VPC with an interface. You can include the operation command in your
init-cfg.txtfile or in the AWS user-data.
request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>
Associates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>
Disassociates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
show plugins vm_series aws gwlb
Displays the operating state of the firewall as it relates to your GWLB deployment. It does not display the firewall configuration.
For example, if you configure an association to an interface that does not exist, that association is configured but not part of the operating state. Therefore, it is not displayed.
When associating a VPC endpoint using the bootstrapping init-cfg.txt file or AWS user-date, you can list multiple interfaces or subinterfaces together. All the commands must be on a single line in a comma-separated list with no spaces as shown in the following example.
If you are using subinterfaces to separate traffic, create a subinterface for each VPC and associate it to a VPC.
- Configure the subinterface.
- Log in to the firewall web interface.
- Highlightethernet1/1and clickAdd Subinterface.
- Enter a numerical suffix (1 to 9,999) to identify the subinterface.
- Enter aVLAN Tag(1 to 4,094) for the subinterface. This field is required but the VLAN is not used.
- Select aVirtual Router.
- Select aSecurity Zone.
- On theIPv4tab, set theTypetoDHCP Client.
- Repeat this command for each VPC endpoint.
- Associate the interface with a VPC endpoint.
- Log in to the firewall CLI.
- Execute the following command:request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>For example:request plugins vm_series aws gwlb associate vpc-endpoint vpce-02c4e6g8ha97h7e39 interface ethernet1/1.4You can locate the VPC endpoint ID in the AWS console.
- Repeat this command for each interface and VPC endpoint association.
- Verify your interface to VPC endpoint associations.show plugins vm_series aws gwlbGWLB enabled: True Overlay Routing: False ------------------------------------------------------------- VPC endpoint Interface -------------------------------------------------------------- vpce-0aeb1a919bd4ae609 ethernet1/1.1 vpce-0294375bfe413f04a ethernet1/1.2
- If necessary, you can use the following command to disassociate a VPC endpoint from a interface.request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>
Recommended For You
Recommended videos not found.