Transit FireNet Workflow for AWS, Azure, GCP, and OCI

If you are looking deploying firewall networks in AWS TGW environment, your starting point is here..

To learn about Transit FireNet, check out Transit FireNet FAQ.

For a complete step by step guide on AWS for Transit FireNet, refer to Transit FireNet on AWS Configuration Example Guide.

For a complete step by step guide on AWS for Transit FireNet with AWS Gateway Load Balancer (GWLB), refer to Transit FireNet Workflow with AWS Gateway Load Balancer (GWLB).

For a complete step by step guide on Azure for Transit FireNet, refer to Transit FireNet on Azure Configuration Example Guide.

For a complete step by step guide on GCP for Transit FireNet, refer to Transit FireNet on GCP Configuration Example Guide.

For a complete step by step guide on OCI for Transit FireNet, refer to Transit FireNet on OCI Configuration Example Guide.

Prerequisite for AWS

Transit FireNet builds on the Aviatrix Transit Network where Aviatrix gateways are deployed in both the transit VPC and the spoke VPCs in AWS. Make sure the deployment meets the following specifications.

  1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway.
  2. The minimum size of the Aviatrix Transit Gateway is c5.xlarge.
  3. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable.

Follow the Aviatrix Transit Network workflow to deploy Aviatrix Transit Gateways and at least one Spoke gateway. When complete, proceed to Step 1.

Prerequisite for Azure

Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VNet and/or in Spoke VNet in Azure. Make sure the deployment meets the following specifications.

  1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway.
  2. The minimum size of the Aviatrix Transit Gateway instance size is Standard_B2ms.
  3. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway.
  4. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable.

Follow the Aviatrix Transit Network workflow to deploy Aviatrix Transit Gateways and attach at least one Spoke gateway or one Spoke VNet. When you are done, proceed to Step 1.

Prerequisite for GCP

Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VPC and/or in Spoke VPC in GCP. Make sure the deployment meets the following specifications.

  1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway.
  2. Minimum four VPCs will be required for GCP FireNet solution with Palo Alto VM-series and all VPCs should be in same region.
  3. The minimum size of the Aviatrix Transit Gateway instance size is n1-standard_1.
  4. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway.
  5. Aviatrix Transit Network must be in Connected mode. Go to Transit Network -> Advanced Config -> Connected Transit. Click Enable.

Follow the Aviatrix Transit Network workflow to deploy Aviatrix Transit Gateways and attach at least one Spoke gateway or one Spoke VNet. When you are done, proceed to Step 1.

Prerequisite for OCI

Transit FireNet builds on the Aviatrix Transit Network solution where Aviatrix gateways are deployed in Transit VCN and/or in Spoke VCN in OCI.

Make sure the deployment meets the following specifications:

  1. ActiveMesh must be enabled when launching the Aviatrix Transit Gateway.
  2. Select the option “Enable Transit FireNet” when launching the Aviatrix Transit Gateway.
  3. Aviatrix Transit Gateway minimum instance size should be VM.Standard2.4 or more

Follow the Aviatrix Transit Network workflow to deploy Aviatrix Transit Gateways and attach at least one Spoke gateway. When you are done, proceed to Step 1.

Note

Transit FireNet Insane mode is not supported in Release 6.4.

1. Enable Transit FireNet Function

A Transit FireNet Gateway is an Aviatrix Transit Gateway with FireNet service enabled.

Starting from Release 6.0, an Aviatrix Spoke can be optionally attached to two Transit FireNet Gateways, one for east-west and north-south traffic inspection, and another for ingress/egress inspections.

1a. Enable Transit FireNet on Aviatrix Transit Gateway

This step defines a set of Aviatrix Transit FireNet Gateways.

In the drop down menu, select one Aviatrix Transit Gateway and click Enable.

Note

For Azure and GCP deployment, Transit FireNet function is enabled when launching the gateway, skip this step.

By default, east-west and north-south traffic inspections are enabled on Transit FireNet Gateways, you can also enable Ingress/Egress inspection on the Transit FireNet Gateways. To do so, go to Firewall Network -> Advanced -> click the 3 dots skewer of one FireNet gateway, enable Egress through firewall option.

A deployment diagram in this option is shown as below:

single_transit_new

Starting 6.3, Aviatrix Transit FireNet solution is also supporting AWS Gateway Load Balancer (AWS GWLB).

In order to use the Aviatrix Transit FireNet solution with AWS GWLB, select one Aviatrix Transit Gateway deployed in AWS from the drop down menu, check the box “Use AWS GWLB” and click “Enable”.

Note

IAM policies needs to be updated for ingress/egress traffic. Go to Aviatrix Controller console -> Accounts -> Access Accounts - > Select AWS Account and click “Update Policy”.

Important

Transit FireNet solution with GWLB also requires HTTPS port enable on firewall appliance to check the firewall health status at regular interval. Click here for more information.

By default, east-west and north-south traffic inspections are enabled on Transit FireNet Gateways, you can also enable Ingress/Egress inspection on the Transit FireNet Gateways. To do so, go to Firewall Network -> Advanced -> click the 3 dots skewer of one FireNet gateway, enable Egress through firewall option.

A deployment diagram in this option is shown as below:

gwlb_tr_firenet

1b. Enable Transit FireNet on Aviatrix Egress Transit Gateway

If you plan to use one set of Transit FireNet Gateways for all traffic types’ inspection, skip this step.

If a separate group of firewalls for Ingress/Egress traffic inspection is required, you need to deploy a second set of Aviatrix Transit Gateways called Aviatrix Egress Transit Gateway, shown as the diagram below.

dual_transit

This step defines a set of Aviatrix Egress Transit FireNet Gateways. The HA Aviatrix Egress Transit FireNet Gateway is automatically enabled in this step.

2. Manage Transit FireNet Policy

Select an Aviatrix Transit Gateway that you enabled for FireNet function in the previous step.

On the left side of the panel, highlight one Spoke VPC/VNet for inspection and click Add. The selected Spoke VPC/VNet should appear on the right side panel.

For example, if traffic going in and out of VPC PROD1 where gcp-spk-prod1-gw is deployed should be inspected, move the gcp-spk-prod1-gw to the right, as shown below.

transit_firenet_policy_new

For specify more VPC/VNets for inspection, repeat this step.

3. Deploy Firewall Instances

Go to Firewall Network -> Setup -> Deploy Firewall Network, follow the deployment instructions to launch one or more firewall instances.

4. Enable Firewall Management Access

When this option is configured, Aviatrix Transit Gateway advertises the transit VPC CIDR to on-prem.

The use case is if a firewall management console, such as Palo Alto Networks Panorama is deployed on-prem, the Panorama can access the firewalls of their private IP addresses with this option configured.

5. Delete Function

In the drop menu, select one Aviatrix Transit Gateway with FireNet function to disable it.

5a. Disable Transit FireNet on Aviatrix Transit Gateway

Select a Transit FireNet gateway to disable the function.

5b. Disable Transit FireNet on Aviatrix Egress Transit Gateway

If Aviatrix Egress Transit Gateway has been configured, select one to disable the function.