Problem create VPN with TAG subscribingVpc = Yes

[SergiMajo]

Hi team,

After setting tag to Yes, the VPNs do not come up (we have waited about 1 hour). Any clues?

Thanks

[SergiMajo]

Hi,

I have full access to everything in the permissions, but could it still be a permissions problem? doesn't seem to write in dynamodb for create vpn.

regards,

[narayan-iyengar]

Did you run the InitializesubscribeAccount template?

Thanks,

/narayan From: SergiMajo notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Tuesday, April 3, 2018 at 4:54 AM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Hi,

I have full access to everything in the permissions, but could it still be a permissions problem? doesn't seem to write in dynamodb for create vpn.

regards,

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D378223871&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=LQTNIo-Et1fTPesdbmzh803F4zHxln9lIyBHvZE_cEY&s=Ex4bT8R-gdRAxGOzwcsDb_4zegcjEJRGK0CJmY2SO2I&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWHoLg29OVq5TylkZBIxjZYHyQiPks5tk2LrgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=LQTNIo-Et1fTPesdbmzh803F4zHxln9lIyBHvZE_cEY&s=aJLH8xKlvt3EkkiTuNbWU5b3WvlW6l8kjSrLskrgoSU&e=.

[SergiMajo]

Yeah. the script creates without problems a second machine but never creates a vpn between vpc's. regards

[vincentcabosart]

Any news about this? I'm experiencing the same problem. The InitializesubscribeAccount template has been run but when changing the tag, no VPN is created.

[rr128]

We are having the same problem. Our existing VPC does not have an existing VGW or IGW.

[narayan-iyengar]

Have you run the InitializeTransitaAccount template in the hub?

If you have and still tunnels don't come up, try to log into one of the firewalls using the user/pass described in the doc. If that fails, then chances are bootstrapping has failed.

Make sure your bootstrap bucket is properly organized and that the bucket is in the same region as the hub transit (where you deployed the initialize template)

[vincentcabosart]

Hello,

Yes, the InitializeTransitAccount has been launched successfully. In fact, I can "attach" a subscribing VPC by the Option 1 described in the document. However I have another VPC which already exists and I want to attach it via Option 3. So, I just added a tag (key: subscribingVpc and Value: Yes). It seems the "CloudTrailLambda" function is triggered (that's what I see in CloudWatch), but in the end, the VGW is not attached to the VPC. The VPC does not have any IGW nor VGW previously configured. It just has one subnet, and there is no instance in it. It is basically a brand new VPC with only one subnet in it. Are there specific conditions to be matched by the VPC that has to be attached with Option 3?

Thank you in advance.

[narayan-iyengar]

Are firewalls deployed in your hub? If so can you log into them?

-- Thanks, /narayan

---

From: Vinch157 notifications@github.com Sent: Monday, April 30, 2018 11:47:44 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Hello,

Yes, the InitializeTransitAccount has been launched successfully. In fact, I can "attach" a subscribing VPC by the Option 1 described in the document. However I have another VPC which already exists and I want to attach it via Option 3. So, I just added a tag (key: subscribingVpc and Value: Yes). It seems the "CloudTrailLambda" function is triggered (that's what I see in CloudWatch), but in the end, the VGW is not attached to the VPC. The VPC does not have any IGW nor VGW previously configured. It just has one subnet, and there is no instance in it. It is basically a brand new VPC with only one subnet in it. Are there specific conditions to be matched by the VPC that has to be attached with Option 3?

Thank you in advance.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385492424&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=jmlyZcfV5O7JI-DPF0W3ufp6fhblzmPDStHGvRpFfjQ&s=SYZ_DBG8uXEahchwLPQfUp39onS8tRR4ejN1imlXG4E&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaZF7PzLKjzss8gSxNjiSH0w79ZMDks5tt1xQgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=jmlyZcfV5O7JI-DPF0W3ufp6fhblzmPDStHGvRpFfjQ&s=Pz33KV08PcaomZS0xUKISDjoG2RKD3qVZvELAfSRwsc&e=.

[vincentcabosart]

Hello,

Yes indeed, I can log into them without problem! The VPN tunnels are up to the VGW of the VPC deployed via Option 1. However, deployment via Option 3 still does not work.

[rr128]

Same problem here.

[vincentcabosart]

Hello, I just tried again and this time, it has worked!! I think I wrote the key "SubscribingVpc" instead of "subscribingVpc". Maybe the case is important for the tag?

[narayan-iyengar]

Good point.

I will make that note…

-- /narayan From: Vinch157 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Monday, April 30, 2018 at 1:38 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Hello, I just tried again and this time, it has worked!! I think I wrote the key "SubscribingVpc" instead of "subscribingVpc". Maybe the case is important for the tag?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385521458&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=VP27EWVSAaSEqow38z4tKXsSrPsXXRzFZjHL46UhaUU&s=rq5W7AWlVStJtN71iGg_dtGyj-UDbkB7nc0hfzLeFpk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWsPN-2DdUUs66bwOi2qivmEtrNV6Jks5tt3ZUgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=VP27EWVSAaSEqow38z4tKXsSrPsXXRzFZjHL46UhaUU&s=CNl4lZWyGLJm75Y1Q1J6CAW55-oL969X2x62jyuLWbs&e=.

[rr128]

I always had subscribingVpc and it never worked. Did you put in "yes" or "YES" as the value?

[narayan-iyengar]

I believe it is all caps…

-- /narayan From: rr128 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Monday, April 30, 2018 at 5:04 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

I always had subscribingVpc and it never worked. Did you put in "yes" or "YES" as the value?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385564252&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=e63LOOS450-bUf04ykOGBJY5OkoZ8Zz5Y25kB_o-_2A&s=vVXy0qPFjajCqI292-6l3_OoZFl7fisj0xQnOQOgfHU&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaTit55fKsquBqOmzV7BFkxzPYxQOks5tt6aMgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=e63LOOS450-bUf04ykOGBJY5OkoZ8Zz5Y25kB_o-_2A&s=smIiH1zO1oeo5dGv4FtuKIUyTjsckBmviQIOUyErwk4&e=.

[rr128]

Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES

[narayan-iyengar]

Ok. Will have to check the code...Will update.

-- Thanks, /narayan

---

From: rr128 notifications@github.com Sent: Monday, April 30, 2018 5:14:43 PM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385566090&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=OmfJ7Qud9jgpKnemLw26naKNHev6E-Vaii4Or9-WGTQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcadoVHr0kF6Zt0gMQAxCaPG-2DZ49L8ks5tt6jzgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=vfomgbJ5uOTGj-Utz0ZUIQ2Tr0qvpAXWe14a69i5Ad8&e=.

[narayan-iyengar]

The tag needs to be susbcribingVpc=YES/Yes/yes

It is listed in the documentation:

documentation/solution_overview.md:14

-- /narayan From: rr128 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Monday, April 30, 2018 at 5:14 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385566090&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=OmfJ7Qud9jgpKnemLw26naKNHev6E-Vaii4Or9-WGTQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcadoVHr0kF6Zt0gMQAxCaPG-2DZ49L8ks5tt6jzgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=vfomgbJ5uOTGj-Utz0ZUIQ2Tr0qvpAXWe14a69i5Ad8&e=.

[vincentcabosart]

Hello,

Just a note from my experience: you need to wait quite a long time for the PAGroup58 to be fired up. At least 10 minutes + time to initialize the FWs + time to bring up the VPNs. So, in total 15 - 20 minutes. A small hint: check CloudWatch if you see the Lambda function be triggered.

I tried to tag another VPC as subscribing VPC which has already an IGW attached to it (no VGW but well one IGW) and it works! The VPN are coming up. Is this supported? I read in the document that it was normally not supported.

I also tried something else: I want that a specific route is injected via the VGW, not the default route as mentionned in the documentation. If you change the redistribution profile accordingly in the FW it is working. So finally, I can have a Subscribing Vpc having a default route pointing to an IGW (default route to internet) and a specific route (to another Subscribing VPC for example) pointing to the VGW going to the firewall. Is this also something that is normally supported? (no negative side effect?)

[rr128]

When you tagged an existing VPC, what is from another account?

[narayan-iyengar]

You can deploy the hub and spoke in the same aws account or have transit in one and the spoke in the other.

-- Thanks, /narayan

---

From: rr128 notifications@github.com Sent: Wednesday, May 2, 2018 5:42:51 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

When you tagged an existing VPC, what is from another account?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385964436&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=DkIgvUTYlhJl-pnZZzanGDty6si8_9cB5SShVe6CHbA&s=zAeZo1IAsEkbnH6UdCZ8MkrREh4rxvEEyI88bDLTuuQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcafmHnOcwu8zYhMD4LNksK8Q-5FA8JWks5tuanLgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=DkIgvUTYlhJl-pnZZzanGDty6si8_9cB5SShVe6CHbA&s=hg5rI_wKOB744022V2x8cKhYlNV7hr5PjcYQmPgK4x0&e=.

[rr128]

When I try to tag an existing VPC from another account, it does not associate with the transit VPC. The existing vpc does not have a VGW or IGW. I am using the initializeSubscriberAccount.json to connect to spoke VPC to the transit VPC.

[narayan-iyengar]

And you have specified the account numbers when deploying the respective templates?

-- Thanks, /narayan

---

From: rr128 notifications@github.com Sent: Wednesday, May 2, 2018 7:43:46 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

When I try to tag an existing VPC from another account, it does not associate with the transit VPC. The existing vpc does not have a VGW or IGW. I am using the initializeSubscriberAccount.json to connect to spoke VPC to the transit VPC.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386002367&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=lcFKyd6eUwwxBk6TrTNTqVyVpg1A0IE6Enl-3vcXM2Q&s=QAvWLoqZLyL30OLYMh0QgGihX9SSoGkW0TTp9jBTQCc&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaXkfHiOR-2DWD1VLG4GtnBUIhctcpzks5tucYigaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=lcFKyd6eUwwxBk6TrTNTqVyVpg1A0IE6Enl-3vcXM2Q&s=Y-PIbB51yWmRWsE9lVGmJN2ZvkGTLflLzbL8pLY2YKY&e=.

[rr128]

Yes, I’m putting the transit account number within the subscriber template. Also, I have the S3 bucket within the subscriber account. Is that correct?

[narayan-iyengar]

For lambda functions. Yes.

-- Thanks, /narayan

---

From: rr128 notifications@github.com Sent: Wednesday, May 2, 2018 8:03:08 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Yes, I’m putting the transit account number within the subscriber template. Also, I have the S3 bucket within the subscriber account. Is that correct?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386009549&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Yv0Wi6JjVIEz6zwmPlQpLfeT5j0j_3_Zwfc70hJ9lgg&s=NTu3xQDBTMz_4npXNbHq-JGcnqFI3XHWtgyuQpMDOL4&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaTrwk8U6RsbMQzUao261T7tgrKlaks5tucqsgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Yv0Wi6JjVIEz6zwmPlQpLfeT5j0j_3_Zwfc70hJ9lgg&s=3fQ6nl93iNue7IC6sCI1rGnTyitzQhxKVWr2a2fkWM8&e=.

[originalwarby]

Hi Vinch157. Using both an IGW and a VGW in a subscribing (spoke) VPC will work from a routing perspective. And this is published as community supported so your changes won't change the support.

But you are allowing traffic out to the internet without any inspection. This means the firewalls can't look for things like data exfiltration or connections to known malicious URLs etc. So technically this should work but we wouldn't consider this as secure.

Best practices would be to default route to the VGW and then route through the transit VM-Series firewalls to the IGW in the transit VPC. This gets you secured Internet access without hair-pinning back to an on-prem firewall.

[rr128]

i see the following error within the steps function when i try to tag a vpc

"error": "States.Runtime", "cause": "An error occurred while executing the state 'ChoiceState' (entered at the event id #19). Unable to apply Path transformation to null input."

[rr128]

Actually, this seems to be the error that is causing the problem:

Error in publishToSns(), Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXXX:assumed-role/SubscriberLambdaExecutionRole-Test-Spoke-VPC/createVpnConnection-Test-Spoke-VPC is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXX:role/TransitAssumeRole-Transit-VPC

[narayan-iyengar]

Good catch.

When launching the transit template make sure the subscriber account number is correct.

When launching the subscriber account template make sure the following are also correct: [cid:image001.png@01D3E216.C18345C0]

The first two are output of the transit initializer template.

In your subscriber template deployment, you can check the stack deployment parameters and see if there is no typo.

-- /narayan From: rr128 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Wednesday, May 2, 2018 at 1:03 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Actually, this seems to be the error that is causing the problem:

Error in publishToSns(), Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXXX:assumed-role/SubscriberLambdaExecutionRole-Test-Spoke-VPC/createVpnConnection-Test-Spoke-VPC is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXX:role/TransitAssumeRole-Transit-VPC

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386102894&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=ezssyoTg8rWQkqhculLSLW-7ACsybI5yJ9_WMSb_wQw&s=V_K4qu2iCj6V9vMiXt2gtdefwYGTg1W1A68YcoxzFUM&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaex5v8FuNBeUfxovxq-2DCDS62kQC0ks5tuhDkgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=ezssyoTg8rWQkqhculLSLW-7ACsybI5yJ9_WMSb_wQw&s=c81bfKzB7JnbjGHuEV7aFNZspFUVPSpTH6b-HqJ9L44&e=.

[rr128]

thanks. i don't see the picture you attach.

[narayan-iyengar]

It is in the deployment guide…in the documentation folder in the repo.

Hopefully you have been following that

-- /narayan From: rr128 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Wednesday, May 2, 2018 at 1:15 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

thanks. i don't see the picture you attach.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386106567&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Rc1DSqdp2B8h73k2qfVscvicfJLLfcIRh34lj8AESh0&s=FSVFmi-tARyaSmrAeObsgn490xnUspfQnK1jDPSsOp8&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcac7IZC8p8eW9ItK6cO5aY0Fq5kRxks5tuhPYgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Rc1DSqdp2B8h73k2qfVscvicfJLLfcIRh34lj8AESh0&s=RhvMqG6GUYyVh2xu7FciYBtVYwKta9Cv9wLKQFZ4nuM&e=.

[rr128]

Got it to work. Thanks for all the help.

[narayan-iyengar]

Awesome. Can you please bupdate the thread with what you did so other folks can benefit as well. Thanks.

-- Thanks, /narayan

---

From: rr128 notifications@github.com Sent: Wednesday, May 2, 2018 6:27:46 PM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Got it to work. Thanks for all the help.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386168977&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=oW3RTStT4hcUcc1UVkBNehr7TYd5k6xcfCRufdaiy2k&s=CMLfa2TtNDAxKlnxtPs1QkQe-E0YMATRsgfaMqWbnLE&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaYm1N552K3j7-5FHStX5g-2Dc0xpcfNdks5tul0SgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=oW3RTStT4hcUcc1UVkBNehr7TYd5k6xcfCRufdaiy2k&s=Df-LEAvP7g2CfY5QtPQZlNLiBDnfEf9OdQsIqsF2sJU&e=.

[rr128]

Will do. But i noticed the vpn tunnels from the subscriber account are not coming up.

[narayan-iyengar]

I have noticed sometimes it takes a while.

Are they still not up? On the fw are they showing down?

-- /narayan From: rr128 notifications@github.com Reply-To: PaloAltoNetworks/aws-transit-vpc reply@reply.github.com Date: Wednesday, May 2, 2018 at 7:24 PM To: PaloAltoNetworks/aws-transit-vpc aws-transit-vpc@noreply.github.com Cc: Narayan Iyengar niyengar@paloaltonetworks.com, Comment comment@noreply.github.com Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)

Will do. But i noticed the vpn tunnels from the subscriber account are not coming up.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386176132&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=aXSgMNsqJe7cvXw0sjlfPQ_hLesmIrxNlXicePR1xKA&s=poL92ftN8aZMeORml8lAEB5Tg1xQQlEQZNnjzzbpacg&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaaPtVlHT7S2XqFS21mp1JeGhoikxks5tumpogaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=aXSgMNsqJe7cvXw0sjlfPQ_hLesmIrxNlXicePR1xKA&s=xm5rkQl2XZqc7q8QfHKgKArDAgq7JhuNKb42dPxhCV0&e=.

[vincentcabosart]

Hello @originalwarby,

Yes, you are completely right. But in my setup I'm in fact trying to merge the "aws-transit-vpc" and the "aws-elb-autoscaling". In this setup the Subscriber VPC is a spoke that is linked to two hubs:

• one southbound hub is the transit VPC (to be able to connect to other Subscriber VPCs or to the on-premises server (a VPN connection is then made between the firewalls of the Transit VPC and on premises firewall)).

• one northbound hub which is an autoscaling group of Palo Altos. This northbound hub will be interesting if the server in the Subscriber VPC is a web server (it will be able to use the autoscaling features to meet the load).

This is why, from a Subscriber VPC point of view, I have only one specific route pointing to on-premises IP range. I need to keep a default route pointing to the IGW for the autoscale setup to work correctly.

I hope this is clear?

[originalwarby]

Vinch157,

The auto scaling solution requires the VM-Series firewalls to SNAT (AWS doesn't have a symmetric return option) so you won't need a default route to the IGW for the auto scaling to work.

The traffic inbound from the internet will appear to the server to be coming from the firewall on the local network. Any traffic initiated by the server out to the internet, will take the default route to the VGW. Therefore, no default route to the IGW is required.

HTH

[vincentcabosart]

Hello @originalwarby,

That's the explanation I was looking for! Thanks a lot! But it seems the SNAT is not deployed by default in the CloudFormation stack. Because I made a quick test: deploy the firewall-v2.0.template and then the pan_aws_nlb_vpc-2.0.template. And I went into the routing table of the web server (application template), and I just erased the default gateway pointing to the IGW. When I do that and when I type the public URL of the public loadbalancer, I don't see the web page of the web server anymore. I will check further in the Palo Alto config to enable SNAT.

Thanks again for your time to answer my question.

[rr128]

I get the following error, when i try to tag and existing VPC within the VPNFailed step function.

{ "Action": "VpnFailed", "Reason": "VPC-CIDR Conflicts" }

This CIDR was associated with an old VPC, but i deleted that VPC before re-creating it.

[freimer]

The whole system appears to be keyed off of CreateTags and DeleteTags API calls, specifically for VPCs. If you just delete a VPC it does not DeleteTags, so the automation never kicks off and the old CIDR is left in the SubscriberLocalDb DynamoDB table. Did you delete the subscribingVpc tag on the old VPC and let it clean up, or just delete the VPC? You may need to clean up manually.