erikpaasonen
commented
6 years ago Hoping for Panorama flavored resource(s) in addition to the regular fw resource. Thanks!
Closed erikpaasonen closed 5 years ago
erikpaasonen
commented
6 years ago Hoping for Panorama flavored resource(s) in addition to the regular fw resource. Thanks!
salsop
commented
6 years ago Would be great to be able to modify Export filters too.
kthix
commented
5 years ago I would also like to see BGP routing as a possibility. As this is often used between fw and provider to announce subnets and receive default routes. Also when having redundancy on IPsec BGP is a nice way to steer the traffic. So import and export filter configuration would be great.
shinmog
commented
5 years ago @erikpaasonen @salsop @kthix
Hey all, what form would BGP support ideally take for the virtual router config? Would you want to have one massive panos_bgp_config where you define dampening rules, peer groups, import, etc? Or do you need individualized resources like the panos provider has up until now?
shinmog
commented
5 years ago Oh, the other option is that instead of a panos_bgp_config or some such, that there's a new bgp block in the existing panos_virtual_router / panos_panorama_virtual_router resources. But this has the side effect of requiring that the entire virtual router be managed by Terraform, which seems less likely to fit all use cases..?
salsop
commented
5 years ago Personally, putting it as part of the Router Config would work for me as I need to to be able to deploy a full AWS config with VPNs without needing to touch the NGFW, so I'd like to define everything as part of the terraform anyway.
kthix
commented
5 years ago I would not configure everything from Terraform so a seperate panos_vr_bgp resource would be my prefered solution. So I can add BGP config to an existing configuration.
erikpaasonen
commented
5 years ago Our overall approach is a Terraform module that creates a set of VPN tunnels with all the underlying PANOS resources. Right now we cannot create the tunnel interfaces themselves inside the module because the list of tunnel interfaces has to be defined once elsewhere in the virtual router config (I'm blanking on the specifics). Thankfully that's the only caveat to our VPN connectivity module so far.
Based on this, I fear that if everything is defined all in one huge Virtual Router resource that we'll run into the same difficulty in integrating the new BGP stuff. I'd rather have separate resources with _attachment or _entry resources to attach the new item to an existing list.
I'm talking in generalities though, not sure if we'd even run into this with the BGP config for VPN tunnels. That's the only thing I'd watch out for. Hope that helps.
shinmog
commented
5 years ago @salsop @kthix @erikpaasonen
Ok, thanks everyone for your prompt replies! :)
Based on this, and asking around internally, I think I'm going to make all the resources atomic instead of tucking full BGP config in to the panos_virtual_router or making a large panos_bgp_config. This will mean lots of resources, but it will give the most flexibility and hopefully not jam up anyone's use case.
shinmog
commented
5 years ago This issue is going to be used for the base BGP configuration of a virtual router, not all of the sub-components. I'll need to open individual issues for those for tracking purposes.
Our use case is injecting default routes across VPN tunnels into AWS VPCs. We require the
dynamicrouting type of AWS VPN because we have designed the architecture around the instantaneous failover experience of BGP (static would require passing around a detached ENI like a hot potato and takes 30-90 seconds because of how AWS works).Specifically, we need the ability to configure the following features at minimum: