aws-transit-vpc
aws-transit-vpc copied to clipboard
PaloAltoNetworks
Problem create VPN with TAG subscribingVpc = Yes
Hi team,
After setting tag to Yes, the VPNs do not come up (we have waited about 1 hour). Any clues?
Thanks
Hi,
I have full access to everything in the permissions, but could it still be a permissions problem? doesn't seem to write in dynamodb for create vpn.
regards,
Did you run the InitializesubscribeAccount template?
Thanks,
/narayan From: SergiMajo [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Tuesday, April 3, 2018 at 4:54 AM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Subscribed [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Hi,
I have full access to everything in the permissions, but could it still be a permissions problem? doesn't seem to write in dynamodb for create vpn.
regards,
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D378223871&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=LQTNIo-Et1fTPesdbmzh803F4zHxln9lIyBHvZE_cEY&s=Ex4bT8R-gdRAxGOzwcsDb_4zegcjEJRGK0CJmY2SO2I&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWHoLg29OVq5TylkZBIxjZYHyQiPks5tk2LrgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=LQTNIo-Et1fTPesdbmzh803F4zHxln9lIyBHvZE_cEY&s=aJLH8xKlvt3EkkiTuNbWU5b3WvlW6l8kjSrLskrgoSU&e=.
Yeah. the script creates without problems a second machine but never creates a vpn between vpc's. regards
Any news about this? I'm experiencing the same problem. The InitializesubscribeAccount template has been run but when changing the tag, no VPN is created.
We are having the same problem. Our existing VPC does not have an existing VGW or IGW.
Have you run the InitializeTransitaAccount template in the hub?
If you have and still tunnels don't come up, try to log into one of the firewalls using the user/pass described in the doc. If that fails, then chances are bootstrapping has failed.
Make sure your bootstrap bucket is properly organized and that the bucket is in the same region as the hub transit (where you deployed the initialize template)
Hello,
Yes, the InitializeTransitAccount has been launched successfully. In fact, I can "attach" a subscribing VPC by the Option 1 described in the document. However I have another VPC which already exists and I want to attach it via Option 3. So, I just added a tag (key: subscribingVpc and Value: Yes). It seems the "CloudTrailLambda" function is triggered (that's what I see in CloudWatch), but in the end, the VGW is not attached to the VPC. The VPC does not have any IGW nor VGW previously configured. It just has one subnet, and there is no instance in it. It is basically a brand new VPC with only one subnet in it. Are there specific conditions to be matched by the VPC that has to be attached with Option 3?
Thank you in advance.
Are firewalls deployed in your hub? If so can you log into them?
-- Thanks, /narayan
From: Vinch157 [email protected] Sent: Monday, April 30, 2018 11:47:44 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Hello,
Yes, the InitializeTransitAccount has been launched successfully. In fact, I can "attach" a subscribing VPC by the Option 1 described in the document. However I have another VPC which already exists and I want to attach it via Option 3. So, I just added a tag (key: subscribingVpc and Value: Yes). It seems the "CloudTrailLambda" function is triggered (that's what I see in CloudWatch), but in the end, the VGW is not attached to the VPC. The VPC does not have any IGW nor VGW previously configured. It just has one subnet, and there is no instance in it. It is basically a brand new VPC with only one subnet in it. Are there specific conditions to be matched by the VPC that has to be attached with Option 3?
Thank you in advance.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385492424&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=jmlyZcfV5O7JI-DPF0W3ufp6fhblzmPDStHGvRpFfjQ&s=SYZ_DBG8uXEahchwLPQfUp39onS8tRR4ejN1imlXG4E&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaZF7PzLKjzss8gSxNjiSH0w79ZMDks5tt1xQgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=jmlyZcfV5O7JI-DPF0W3ufp6fhblzmPDStHGvRpFfjQ&s=Pz33KV08PcaomZS0xUKISDjoG2RKD3qVZvELAfSRwsc&e=.
Hello,
Yes indeed, I can log into them without problem! The VPN tunnels are up to the VGW of the VPC deployed via Option 1. However, deployment via Option 3 still does not work.
Hello, I just tried again and this time, it has worked!! I think I wrote the key "SubscribingVpc" instead of "subscribingVpc". Maybe the case is important for the tag?
Good point.
I will make that note…
-- /narayan From: Vinch157 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Monday, April 30, 2018 at 1:38 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Hello, I just tried again and this time, it has worked!! I think I wrote the key "SubscribingVpc" instead of "subscribingVpc". Maybe the case is important for the tag?
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385521458&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=VP27EWVSAaSEqow38z4tKXsSrPsXXRzFZjHL46UhaUU&s=rq5W7AWlVStJtN71iGg_dtGyj-UDbkB7nc0hfzLeFpk&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaWsPN-2DdUUs66bwOi2qivmEtrNV6Jks5tt3ZUgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=VP27EWVSAaSEqow38z4tKXsSrPsXXRzFZjHL46UhaUU&s=CNl4lZWyGLJm75Y1Q1J6CAW55-oL969X2x62jyuLWbs&e=.
I always had subscribingVpc and it never worked. Did you put in "yes" or "YES" as the value?
I believe it is all caps…
-- /narayan From: rr128 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Monday, April 30, 2018 at 5:04 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
I always had subscribingVpc and it never worked. Did you put in "yes" or "YES" as the value?
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385564252&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=e63LOOS450-bUf04ykOGBJY5OkoZ8Zz5Y25kB_o-_2A&s=vVXy0qPFjajCqI292-6l3_OoZFl7fisj0xQnOQOgfHU&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaTit55fKsquBqOmzV7BFkxzPYxQOks5tt6aMgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=e63LOOS450-bUf04ykOGBJY5OkoZ8Zz5Y25kB_o-_2A&s=smIiH1zO1oeo5dGv4FtuKIUyTjsckBmviQIOUyErwk4&e=.
Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES
Ok. Will have to check the code...Will update.
-- Thanks, /narayan
From: rr128 [email protected] Sent: Monday, April 30, 2018 5:14:43 PM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385566090&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=OmfJ7Qud9jgpKnemLw26naKNHev6E-Vaii4Or9-WGTQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcadoVHr0kF6Zt0gMQAxCaPG-2DZ49L8ks5tt6jzgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=vfomgbJ5uOTGj-Utz0ZUIQ2Tr0qvpAXWe14a69i5Ad8&e=.
The tag needs to be susbcribingVpc=YES/Yes/yes
It is listed in the documentation:
documentation/solution_overview.md:14
-- /narayan From: rr128 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Monday, April 30, 2018 at 5:14 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Doesn't work for me when i put an existing VPC without an IGW and VGW and tag it with subscribingVPC = YES
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385566090&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=OmfJ7Qud9jgpKnemLw26naKNHev6E-Vaii4Or9-WGTQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcadoVHr0kF6Zt0gMQAxCaPG-2DZ49L8ks5tt6jzgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=t8HnSN1ToP-bwy63W6hYKlj_Yz6x4lMlrx4uK06P2x0&s=vfomgbJ5uOTGj-Utz0ZUIQ2Tr0qvpAXWe14a69i5Ad8&e=.
Hello,
Just a note from my experience: you need to wait quite a long time for the PAGroup58 to be fired up. At least 10 minutes + time to initialize the FWs + time to bring up the VPNs. So, in total 15 - 20 minutes. A small hint: check CloudWatch if you see the Lambda function be triggered.
I tried to tag another VPC as subscribing VPC which has already an IGW attached to it (no VGW but well one IGW) and it works! The VPN are coming up. Is this supported? I read in the document that it was normally not supported.
I also tried something else: I want that a specific route is injected via the VGW, not the default route as mentionned in the documentation. If you change the redistribution profile accordingly in the FW it is working. So finally, I can have a Subscribing Vpc having a default route pointing to an IGW (default route to internet) and a specific route (to another Subscribing VPC for example) pointing to the VGW going to the firewall. Is this also something that is normally supported? (no negative side effect?)
You can deploy the hub and spoke in the same aws account or have transit in one and the spoke in the other.
-- Thanks, /narayan
From: rr128 [email protected] Sent: Wednesday, May 2, 2018 5:42:51 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
When you tagged an existing VPC, what is from another account?
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D385964436&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=DkIgvUTYlhJl-pnZZzanGDty6si8_9cB5SShVe6CHbA&s=zAeZo1IAsEkbnH6UdCZ8MkrREh4rxvEEyI88bDLTuuQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcafmHnOcwu8zYhMD4LNksK8Q-5FA8JWks5tuanLgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=DkIgvUTYlhJl-pnZZzanGDty6si8_9cB5SShVe6CHbA&s=hg5rI_wKOB744022V2x8cKhYlNV7hr5PjcYQmPgK4x0&e=.
When I try to tag an existing VPC from another account, it does not associate with the transit VPC. The existing vpc does not have a VGW or IGW. I am using the initializeSubscriberAccount.json to connect to spoke VPC to the transit VPC.
And you have specified the account numbers when deploying the respective templates?
-- Thanks, /narayan
From: rr128 [email protected] Sent: Wednesday, May 2, 2018 7:43:46 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
When I try to tag an existing VPC from another account, it does not associate with the transit VPC. The existing vpc does not have a VGW or IGW. I am using the initializeSubscriberAccount.json to connect to spoke VPC to the transit VPC.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386002367&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=lcFKyd6eUwwxBk6TrTNTqVyVpg1A0IE6Enl-3vcXM2Q&s=QAvWLoqZLyL30OLYMh0QgGihX9SSoGkW0TTp9jBTQCc&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaXkfHiOR-2DWD1VLG4GtnBUIhctcpzks5tucYigaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=lcFKyd6eUwwxBk6TrTNTqVyVpg1A0IE6Enl-3vcXM2Q&s=Y-PIbB51yWmRWsE9lVGmJN2ZvkGTLflLzbL8pLY2YKY&e=.
Yes, I’m putting the transit account number within the subscriber template. Also, I have the S3 bucket within the subscriber account. Is that correct?
For lambda functions. Yes.
-- Thanks, /narayan
From: rr128 [email protected] Sent: Wednesday, May 2, 2018 8:03:08 AM To: PaloAltoNetworks/aws-transit-vpc Cc: Narayan Iyengar; Comment Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Yes, I’m putting the transit account number within the subscriber template. Also, I have the S3 bucket within the subscriber account. Is that correct?
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386009549&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Yv0Wi6JjVIEz6zwmPlQpLfeT5j0j_3_Zwfc70hJ9lgg&s=NTu3xQDBTMz_4npXNbHq-JGcnqFI3XHWtgyuQpMDOL4&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaTrwk8U6RsbMQzUao261T7tgrKlaks5tucqsgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Yv0Wi6JjVIEz6zwmPlQpLfeT5j0j_3_Zwfc70hJ9lgg&s=3fQ6nl93iNue7IC6sCI1rGnTyitzQhxKVWr2a2fkWM8&e=.
Hi Vinch157. Using both an IGW and a VGW in a subscribing (spoke) VPC will work from a routing perspective. And this is published as community supported so your changes won't change the support.
But you are allowing traffic out to the internet without any inspection. This means the firewalls can't look for things like data exfiltration or connections to known malicious URLs etc. So technically this should work but we wouldn't consider this as secure.
Best practices would be to default route to the VGW and then route through the transit VM-Series firewalls to the IGW in the transit VPC. This gets you secured Internet access without hair-pinning back to an on-prem firewall.
i see the following error within the steps function when i try to tag a vpc
"error": "States.Runtime", "cause": "An error occurred while executing the state 'ChoiceState' (entered at the event id #19). Unable to apply Path transformation to null input."
Actually, this seems to be the error that is causing the problem:
Error in publishToSns(), Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXXX:assumed-role/SubscriberLambdaExecutionRole-Test-Spoke-VPC/createVpnConnection-Test-Spoke-VPC is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXX:role/TransitAssumeRole-Transit-VPC
Good catch.
When launching the transit template make sure the subscriber account number is correct.
When launching the subscriber account template make sure the following are also correct: [cid:[email protected]]
The first two are output of the transit initializer template.
In your subscriber template deployment, you can check the stack deployment parameters and see if there is no typo.
-- /narayan From: rr128 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Wednesday, May 2, 2018 at 1:03 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
Actually, this seems to be the error that is causing the problem:
Error in publishToSns(), Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXXX:assumed-role/SubscriberLambdaExecutionRole-Test-Spoke-VPC/createVpnConnection-Test-Spoke-VPC is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXX:role/TransitAssumeRole-Transit-VPC
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386102894&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=ezssyoTg8rWQkqhculLSLW-7ACsybI5yJ9_WMSb_wQw&s=V_K4qu2iCj6V9vMiXt2gtdefwYGTg1W1A68YcoxzFUM&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcaex5v8FuNBeUfxovxq-2DCDS62kQC0ks5tuhDkgaJpZM4TE1Qh&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=ezssyoTg8rWQkqhculLSLW-7ACsybI5yJ9_WMSb_wQw&s=c81bfKzB7JnbjGHuEV7aFNZspFUVPSpTH6b-HqJ9L44&e=.
It is in the deployment guide…in the documentation folder in the repo.
Hopefully you have been following that
-- /narayan From: rr128 [email protected] Reply-To: PaloAltoNetworks/aws-transit-vpc [email protected] Date: Wednesday, May 2, 2018 at 1:15 PM To: PaloAltoNetworks/aws-transit-vpc [email protected] Cc: Narayan Iyengar [email protected], Comment [email protected] Subject: Re: [PaloAltoNetworks/aws-transit-vpc] Problem create VPN with TAG subscribingVpc = Yes (#9)
thanks. i don't see the picture you attach.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PaloAltoNetworks_aws-2Dtransit-2Dvpc_issues_9-23issuecomment-2D386106567&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Rc1DSqdp2B8h73k2qfVscvicfJLLfcIRh34lj8AESh0&s=FSVFmi-tARyaSmrAeObsgn490xnUspfQnK1jDPSsOp8&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ARFcac7IZC8p8eW9ItK6cO5aY0Fq5kRxks5tuhPYgaJpZM4TE1Qh&d=DwMCaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=yaPPNRHFJOEqZ9-bfG64oiDWvBigyIWTnqkw0GQeLyU&m=Rc1DSqdp2B8h73k2qfVscvicfJLLfcIRh34lj8AESh0&s=RhvMqG6GUYyVh2xu7FciYBtVYwKta9Cv9wLKQFZ4nuM&e=.