Very grateful for putting this out. Cleared all my doubts. Amazingly well done !

Awesome presentation. Very clearly explained with packet walk. Thank you!

Excellent job Ralph explaining the GWLB and the awesome packet walk! Learned a ton!

You just saved me so much time. Thank you for making this!

Hi Ralph, thanks for sharing amazing content! Thanks Mo

Great detailed explanation, thanks!

This is an awesome tutorial that I was searching on youtube. Excellent explanation on setting up GWLB and firewall in multi-account environment through TGW. :)

Excellent explanation..!! well articulated with the traffic flows.

Ralph, great presentation!

Thank you for the detailed diagram and explanation. Keep up the Good Job.

Many thanks Ralph, your video is very very great.... Thanks a lot !!!!

Awesome presentation and explanation 👍🏻

Thank you for your job. Excellent explication traffic North-South East-West

Bravo !! Awesome presentation and walkthrough the use case. I am going to lab it asap. Thank you

Awesome presentation

That was an awesome explanation.

Excellent and thank you, Mr. Carter.

Thanks, awesome explanation

Awesome video

great effort !

Quite Impressive !

Fantastic presentation. I’m working on exactly this model.

This is awesome. I would love to see an explanation of how this changes with Overlay routing and app-vpc to subint matching as well.

Hey, Ralph been a while. Thanks for sharing the info, good stuff.

Thank a ton Ralph, request you to teach us about Azure GWLB with PAN Firewalls for Inbound, Outbound and East-West Security

This is fantastic. Though this subnetting would require a public IP on the management interface.

Hi! This is a great presentation! It provides a very good starting point. To get the full architecture picture it would be great to address the following in addtion: 1. On-Premise connectivity via VPN and DX attachment; 2. TGW Attachment to keep AWS cloud traffic in the cloud. 3. Internet Inbound (Ingress) with two AZs (e.g. How the introduction of a third party Load Balancer (e.g. f5) could look like; Ad3) I know that AWS provides the ALB and NLB beside the GWLB but some companies want to rely on their load balancers (e.g. f5) across all environments (on-premise and cloud (aws, azure, google, ...). The presentation is really great and I have my personal understanding on how points 1. 2. and 3. fit into that architecture but it would be great to see others (your view Ralph on that). All the best. THX YOU AGAIN! ROUTING MAKES SENSE NOW :-D

Great Job. awesome presentation!! .Want to deploy in my environment. Do you have the next session of the implementation video?.

awesome...

Awesome video..great work Ralph...Could you please also do a video referencing the same architecture but without Gateway LB and with usual VPN/VPC attachments...that would be a great help for me since the Gateway LB is not available in my region yet...Thanks a lot!!!

Hi Raplh, great video! U mentioned about part 2 on how to ? May i know when u are doing that video?

This is a great video! In the inbound flow, where are you authenticating (e.g., via mTLS, UN/PW) the traffic? Is that needed in this case? I'm also assuming that if you didn't want East-West Prod to Dev traffic, you'd block that at the Palo (though I guess if you needed to refresh DEV from PROD for testing/development purposes) - is that right? Or is that simply looking for malicious content and session state and the GWLBe01/2 is looking at it's route table and if no there, would send a 404.

That was freaking awesome. Just one question though. The GWLBe03 subnet cidr should've been /28 instead of /26 and thus the subsequent change in the DEMO-Prod-Ingreass_RT. Or am I missing something?

Great job. QQ, what software did you use for the presentation? was it PPT?

Thank you for the great design and explanation. If you don’t mind, can you share the diagram?

Best one!!

Ralph, that was a great session. I want to know what charting tool you used ? I want to learn more about it to map my AWS drawing design better.

Love it Ralph. Got this one working manually and traffic is flowing inbound/outbound as intended. Only issue is with Global Protect, my VPN users can't seem to connect to internal resources. Is that because the return path is coming back across the GWLB, but the forwarding to a server (is going across the TGW)? Any suggestions/articles that you know of addressing this concern? Thanks so much and keep up the great work.

Hi Ralph, thank you for posting this, truly helped this newbie understand how AWS GW can be used. I do have a question, what if this is trying to be deployed in an environment that already has PA's setup across multiple sites and these sites connect to the Core (via IPSEC), where most of our on-prem apps reside? Thanks again for the great and easy to understand video

Hi Ralph, do we need public IPs to be assigned compulsorily on any of the devices in the architecture you designed to make it work, please let me know... Thanks a lot!

if you can share any document or video of deployment guide for manual integration of GWLB and PAN VM series it will be helpful.

Great job, very grateful. Jusk ask, is it possible to create a gateway loadbalancer endpoint cross account environnement typically for inbound from internet?

I found this very insightful (well earned kudos to you Ralph), but when trying to implement it, I can't make it support a load balanced application. The Prod IGW routing table only routes to AZ 1a, therefore the app is not load balanced. I've been trying to figure out how to make this possible, but no luck so far. Any hints welcome.

Very few videos available on KZbin that talks about this architecture, but yours one is unique and best of all. Quick question about the outbound traffic (north-south) that is flowing from PROD vpc to the internet via security vpc transit attachment, that has only routes to security vpc, prod vpc and dev vpc, but i dont see any entry that tells it to redirect this outbound traffic to security vpc. Then how come it will reach to security vpc transit eni? can you please explain this?

What would the architecture look like if I needed to put a WAF in front of the http/https ports? The WAF would be working together with the Palo Alto NGFW to handle non-http/https traffic

Awesome content. I do have One Doubt where to map Elastic IP's, from those IP's server will be accessible? Can anyone knows please let us know?

Hi, just amazing video, very good walk through. I wanted to ask in this architecture. Where would the on premise vpn or direct connect terminate? Would it be another spoke VPC? Second question is, where would I put a VPN firewall like an ASav for Anyconnect VPN. Thank you

Can Demo-Security IGW be used for inbound traffic too instead of Demo-Production IGW ?

Well explained, appreciate it. as you were mentioning, do you have deployment video as well?

Very nice video; well explained. Thanks Ralph. I have a few questions though. Is there a reason why you did not allow the Palo Alto (PA) firewalls to act as the NAT gateway? I have a new AWS deployment with PA firewalls in active-passive mode but one of the infrastructure requirement is to allow the PA to act as the NAT gateway, and as the VPN Gateway because the intention is to create a site-to-site (S2S) IPSec tunnel between the PA in AWS and another PA that is on-premise. I like to know if I will still need a GWLB in a case where the PAs are in active-passive and not in active-active. Awaiting your reply. Thanks again.

Very clear and helpful presentation. Thanks ! But with EC2 with EIP is simple.The only question is how to protect ALBs (either internal or internet-facing). In case of internet-facing Will ingress routing help to route traffic to GLB endpoint ?

Hi, how does one configure the palo alto to use one interface for inbound and outbound traffic and what does the security policy look like? Thanks

plz make video on cloud wan with complete details n hands on lab

Can we use VPCe instead of traversing via Transit GW?

What if you don't want inline and just want to mirror the TGW traffic off to a security vpc to be analyzed?

ON the data port of the Palo's do we set up zones? I feel like you lose the ability to apply zones if you're routing all traffic though that data port without applying multiple zones. How do you apply multiple zones to one interface?

hi, where can i watch the configuration video?

Does this support ipv6?

Is there a template for this available?