Great Video !

🙏🏽🙏🏽🙏🏽🙏🏽🙏🏽

This is awesome. I would love to see an explanation of how this changes with Overlay routing and app-vpc to subint matching as well.

Thank you for your job. Excellent explication traffic North-South East-West

Excellent and thank you, Mr. Carter.

ON the data port of the Palo's do we set up zones? I feel like you lose the ability to apply zones if you're routing all traffic though that data port without applying multiple zones. How do you apply multiple zones to one interface?

Great job, very grateful. Jusk ask, is it possible to create a gateway loadbalancer endpoint cross account environnement typically for inbound from internet?

Awesome video

Very few videos available on KZbin that talks about this architecture, but yours one is unique and best of all. Quick question about the outbound traffic (north-south) that is flowing from PROD vpc to the internet via security vpc transit attachment, that has only routes to security vpc, prod vpc and dev vpc, but i dont see any entry that tells it to redirect this outbound traffic to security vpc. Then how come it will reach to security vpc transit eni? can you please explain this?

Very easy and nice Explanation. Thank you.

Thanks for the Excellent Video !

Can we have inbound update?

This is an awesome tutorial that I was searching on youtube. Excellent explanation on setting up GWLB and firewall in multi-account environment through TGW. :)

Thank you for the detailed diagram and explanation. Keep up the Good Job.

Thanks so much for this! It helped me figure out the missing piece in my deployment that I was struggling with. I simply forgot to point the default route on the Palos to the service BD's gateway.

Question : Why you have to configure the BD ip address on subnet section? that is for route leak, right?

Hi Ralph, thank you for posting this, truly helped this newbie understand how AWS GW can be used. I do have a question, what if this is trying to be deployed in an environment that already has PA's setup across multiple sites and these sites connect to the Core (via IPSEC), where most of our on-prem apps reside? Thanks again for the great and easy to understand video

What would the architecture look like if I needed to put a WAF in front of the http/https ports? The WAF would be working together with the Palo Alto NGFW to handle non-http/https traffic

Great detailed explanation, thanks!

What is the service bridge domain?

I found this very insightful (well earned kudos to you Ralph), but when trying to implement it, I can't make it support a load balanced application. The Prod IGW routing table only routes to AZ 1a, therefore the app is not load balanced. I've been trying to figure out how to make this possible, but no luck so far. Any hints welcome.

What if you are using active/standby FW? Do you need select L3 VIP then?

thanks for the explanation Ralph, it is clear and understandable.

Is there a template for this available?

Guys Why he didnt use L3OUT with INET Routers ? do u think he were was going with a poor Design , at least not a CVD !!!! Pls Advise Thanks

Can we use VPCe instead of traversing via Transit GW?

Thank a ton Ralph, request you to teach us about Azure GWLB with PAN Firewalls for Inbound, Outbound and East-West Security

plz make video on cloud wan with complete details n hands on lab

can we connect firewall as a per metal server and put gateway on it and all communication from Fabric went through it.

Ralph, that was a great session. I want to know what charting tool you used ? I want to learn more about it to map my AWS drawing design better.

Great info. Where is part 2?

Thanks, awesome explanation

That was an awesome explanation.

Ralph, great presentation!

hi, where can i watch the configuration video?

Great video Ralph, super presentation.

Excellent job Ralph explaining the GWLB and the awesome packet walk! Learned a ton!

Great Ralph, any new videos if you could post .. That would be really helpful my friend 🥰

Many thanks Ralph, your video is very very great.... Thanks a lot !!!!

Awesome presentation and explanation 👍🏻

Love it Ralph. Got this one working manually and traffic is flowing inbound/outbound as intended. Only issue is with Global Protect, my VPN users can't seem to connect to internal resources. Is that because the return path is coming back across the GWLB, but the forwarding to a server (is going across the TGW)? Any suggestions/articles that you know of addressing this concern? Thanks so much and keep up the great work.

Great, This helps me to understand the outline of ACI.

What if you don't want inline and just want to mirror the TGW traffic off to a security vpc to be analyzed?

Quite Impressive !

Very nice video; well explained. Thanks Ralph. I have a few questions though. Is there a reason why you did not allow the Palo Alto (PA) firewalls to act as the NAT gateway? I have a new AWS deployment with PA firewalls in active-passive mode but one of the infrastructure requirement is to allow the PA to act as the NAT gateway, and as the VPN Gateway because the intention is to create a site-to-site (S2S) IPSec tunnel between the PA in AWS and another PA that is on-premise. I like to know if I will still need a GWLB in a case where the PAs are in active-passive and not in active-active. Awaiting your reply. Thanks again.

great effort !

Hi Raplh, great video! U mentioned about part 2 on how to ? May i know when u are doing that video?

Hi, how does one configure the palo alto to use one interface for inbound and outbound traffic and what does the security policy look like? Thanks

Excellent explanation..!! well articulated with the traffic flows.

Does this support ipv6?