This video helped me understand AWS network design/routing more than any other video I've found yet. We need more content like this!

This is an awesome tutorial that I was searching on youtube. Excellent explanation on setting up GWLB and firewall in multi-account environment through TGW. :)

Great detailed explanation, thanks!

Excellent job Ralph explaining the GWLB and the awesome packet walk! Learned a ton!

You just saved me so much time. Thank you for making this!

Thank you for the detailed diagram and explanation. Keep up the Good Job.

Thank you so much for this explanation, it was amazing!

Very grateful for putting this out. Cleared all my doubts. Amazingly well done !

Awesome presentation. Very clearly explained with packet walk. Thank you!

Excellent and thank you, Mr. Carter.

Many thanks Ralph, your video is very very great.... Thanks a lot !!!!

This is awesome. I would love to see an explanation of how this changes with Overlay routing and app-vpc to subint matching as well.

Ralph, great presentation!

Hi! This is a great presentation! It provides a very good starting point. To get the full architecture picture it would be great to address the following in addtion: 1. On-Premise connectivity via VPN and DX attachment; 2. TGW Attachment to keep AWS cloud traffic in the cloud. 3. Internet Inbound (Ingress) with two AZs (e.g. How the introduction of a third party Load Balancer (e.g. f5) could look like; Ad3) I know that AWS provides the ALB and NLB beside the GWLB but some companies want to rely on their load balancers (e.g. f5) across all environments (on-premise and cloud (aws, azure, google, ...). The presentation is really great and I have my personal understanding on how points 1. 2. and 3. fit into that architecture but it would be great to see others (your view Ralph on that). All the best. THX YOU AGAIN! ROUTING MAKES SENSE NOW :-D

Thank you for your job. Excellent explication traffic North-South East-West

Excellent explanation..!! well articulated with the traffic flows.

Hi Ralph, thanks for sharing amazing content! Thanks Mo

Fantastic presentation. I’m working on exactly this model.

Awesome presentation and explanation 👍🏻

Thank a ton Ralph, request you to teach us about Azure GWLB with PAN Firewalls for Inbound, Outbound and East-West Security

Bravo !! Awesome presentation and walkthrough the use case. I am going to lab it asap. Thank you

Awesome presentation

That was an awesome explanation.

Hey, Ralph been a while. Thanks for sharing the info, good stuff.

This is fantastic. Though this subnetting would require a public IP on the management interface.

Thanks, awesome explanation

Hi Raplh, great video! U mentioned about part 2 on how to ? May i know when u are doing that video?

Great Video !

Awesome video

Thank you for the great design and explanation. If you don’t mind, can you share the diagram?

Great job, very grateful. Jusk ask, is it possible to create a gateway loadbalancer endpoint cross account environnement typically for inbound from internet?

Quite Impressive !

Hi Ralph, thank you for posting this, truly helped this newbie understand how AWS GW can be used. I do have a question, what if this is trying to be deployed in an environment that already has PA's setup across multiple sites and these sites connect to the Core (via IPSEC), where most of our on-prem apps reside? Thanks again for the great and easy to understand video

great effort !

Very few videos available on KZbin that talks about this architecture, but yours one is unique and best of all. Quick question about the outbound traffic (north-south) that is flowing from PROD vpc to the internet via security vpc transit attachment, that has only routes to security vpc, prod vpc and dev vpc, but i dont see any entry that tells it to redirect this outbound traffic to security vpc. Then how come it will reach to security vpc transit eni? can you please explain this?

What would the architecture look like if I needed to put a WAF in front of the http/https ports? The WAF would be working together with the Palo Alto NGFW to handle non-http/https traffic

Great Job. awesome presentation!! .Want to deploy in my environment. Do you have the next session of the implementation video?.

I found this very insightful (well earned kudos to you Ralph), but when trying to implement it, I can't make it support a load balanced application. The Prod IGW routing table only routes to AZ 1a, therefore the app is not load balanced. I've been trying to figure out how to make this possible, but no luck so far. Any hints welcome.

Awesome video..great work Ralph...Could you please also do a video referencing the same architecture but without Gateway LB and with usual VPN/VPC attachments...that would be a great help for me since the Gateway LB is not available in my region yet...Thanks a lot!!!

Ralph, that was a great session. I want to know what charting tool you used ? I want to learn more about it to map my AWS drawing design better.

That was freaking awesome. Just one question though. The GWLBe03 subnet cidr should've been /28 instead of /26 and thus the subsequent change in the DEMO-Prod-Ingreass_RT. Or am I missing something?

Can we use VPCe instead of traversing via Transit GW?

ON the data port of the Palo's do we set up zones? I feel like you lose the ability to apply zones if you're routing all traffic though that data port without applying multiple zones. How do you apply multiple zones to one interface?

hi, where can i watch the configuration video?

Great job. QQ, what software did you use for the presentation? was it PPT?

awesome...

if you can share any document or video of deployment guide for manual integration of GWLB and PAN VM series it will be helpful.

Awesome content. I do have One Doubt where to map Elastic IP's, from those IP's server will be accessible? Can anyone knows please let us know?

Best one!!

Is there a template for this available?

plz make video on cloud wan with complete details n hands on lab

Hi Ralph, do we need public IPs to be assigned compulsorily on any of the devices in the architecture you designed to make it work, please let me know... Thanks a lot!

🙏🏽🙏🏽🙏🏽🙏🏽🙏🏽

Love it Ralph. Got this one working manually and traffic is flowing inbound/outbound as intended. Only issue is with Global Protect, my VPN users can't seem to connect to internal resources. Is that because the return path is coming back across the GWLB, but the forwarding to a server (is going across the TGW)? Any suggestions/articles that you know of addressing this concern? Thanks so much and keep up the great work.

Can Demo-Security IGW be used for inbound traffic too instead of Demo-Production IGW ?

What if you don't want inline and just want to mirror the TGW traffic off to a security vpc to be analyzed?

Very nice video; well explained. Thanks Ralph. I have a few questions though. Is there a reason why you did not allow the Palo Alto (PA) firewalls to act as the NAT gateway? I have a new AWS deployment with PA firewalls in active-passive mode but one of the infrastructure requirement is to allow the PA to act as the NAT gateway, and as the VPN Gateway because the intention is to create a site-to-site (S2S) IPSec tunnel between the PA in AWS and another PA that is on-premise. I like to know if I will still need a GWLB in a case where the PAs are in active-passive and not in active-active. Awaiting your reply. Thanks again.

Does this support ipv6?

Hi, how does one configure the palo alto to use one interface for inbound and outbound traffic and what does the security policy look like? Thanks

Hi, just amazing video, very good walk through. I wanted to ask in this architecture. Where would the on premise vpn or direct connect terminate? Would it be another spoke VPC? Second question is, where would I put a VPN firewall like an ASav for Anyconnect VPN. Thank you

Well explained, appreciate it. as you were mentioning, do you have deployment video as well?

This is a great video! In the inbound flow, where are you authenticating (e.g., via mTLS, UN/PW) the traffic? Is that needed in this case? I'm also assuming that if you didn't want East-West Prod to Dev traffic, you'd block that at the Palo (though I guess if you needed to refresh DEV from PROD for testing/development purposes) - is that right? Or is that simply looking for malicious content and session state and the GWLBe01/2 is looking at it's route table and if no there, would send a 404.