This Repo will build you three(3) Aviatrix Transit FireNets with High Performance Encryption enabled that are fully meshed with all of the dependencies for the Firewalls built in. The bootstrap configuration files and the IAM objects needed to deploy them are built into the code. This is my first pass at writing out these details so I am doing so from the perspective of the advanced practitioner -- I will include a deeper set of instructions that will cater to the audience who is not familiar with Aviatrix at a later point.
Getting your FireNet firewalls to deploy automatically requires some configuration files to be uploaded to S3 and some IAM objects to be created. This code base does that for you.
-
An Aviatrix Controller -- this is simple enough to get having admin access to an AWS account, subscribing to the Marketplace offering (This gets you your metered license key) and launching the cloudformation template of the BYOL Platform ( This launches the actual AMI for your license key to go into ). Yes, you are clicking the subscribe button twice. One is to execute a metered contract on the marketplace and the other is to get access to the AMI itself. Using the AMI to build things is how the meter actually starts running.
-
Your Aviatrix Customer ID inserted into your Controller -- This will be emailed to you once you complete your email verification after subscribing to the 2208 Metered Offering in the AWS Marketplace. When the key arrives you can insert it into the Controller at Step 1 of the OnBoarding page.
-
An AWS Account configured in your Controller. This will require designating a name for your AWS account -- something really creative, like, "AWS", perhaps. That is the default name given to the AWS acccount in the code. You will also need to input your 12 digit AWS Account number and then you are ready to go. Leave the 'IAM role-based' checkbox checked. ( This assumes that you have built the Controller with the CloudFormation Template in the BYOL AMI workflow, or that you have built in the IAM roles and policies manually, along with the Controller itself )
-
A subscription to Palo Alto Networks VM-Series. Each FireNet Module has its image property set to 'Bundle 1', which is the metered version. You can change it to BYOL by using the last string below:
Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1
Palo Alto Networks VM-Series Next-Generation Firewall Bundle 2
Palo Alto Networks VM-Series Next-Generation Firewall (BYOL)
Once you have everything in the list above in place, you will need to configure the Aviatrix Provider Statement in lines 5-10 in main.tf. Controller IP and Controller Password will need be set here. The data statements that perform the Vendor Integration sequence in lines 225-288 need to be commented out for the first TF apply. Once the infrastructure build is complete, wait 10 minutes, remove the comments and TF apply again. TF will tell you that nothing has changed, but the green success message will indicate that the Vendor Integration sequence in complete. Once this is done, you are ready to start attaching spokes and exposing workloads. Enjoy!
| Element | Default Designation |
|---|---|
| Cloud | AWS |
| Regions | us-west-2, us-east-1, us-east-2 |
| Number of Firewalls per Transit | 2 |
| HPE Enabled | Yes |
| Gateway Sizes | C5n.2xlarge |
| Firewall Size | C5.xlarge |
| Transit Peering | Full Mesh |