Hi!
Testing out this setup but got stuck.
- The transit VPC have been created ok using the initializeTransitAccount.json. (I have tried to change the PaloAltoGroupCapacity to from default to 6 just to see if that changes the behaviour)
- I'm running the initializeSubscriberAccount.json template to create a subscriber VPC
2.1. VPC is created
2.2. The PaGroup cft starts
2.3. The virtual Palo instances are started and I can access them via gui/ssh
2.4. Next I would expect the VPNs to be configured but nothing happens and after some time a new PaGroup cft starts kicking up yet another pair of virtual Palo instances, this goes on untill my pool for EIP are emptied and the PaGroup cft starts failing. By this time I have a whole bunch of Palos running....
Not sure exactly what goes wrong but after some digging I found the following in CloudWatchLog Groups/aws/lambda/fetchVpnServerDetails-palo-transit-vpc-cf:
START RequestId: c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Version: $LATEST
[INFO] 2018-09-12T09:37:24.805Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Got Event: {'Action': 'FetchVpnServerDetails', 'VpcId': 'vpc-0cedc636159bd1ff2', 'VpcCidr': '10.166.128.0/22', 'Region': 'eu-west-1', 'Rebalance': 'False', 'SubscriberSnsArn': 'arn:aws:sns:eu-west-1:xxxxxxxxx:subscriberSnsTopic-palo-subsciber-vpc3-cf', 'SubscriberAssumeRoleArn': 'arn:aws:iam::xxxxxxxxx:role/SubscriberAssumeRole-palo-subsciber-vpc3-cf', 'ReceivedFrom': 'fetchVpnServerDetails'}
[INFO] 2018-09-12T09:37:24.831Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Starting new HTTPS connection (1): dynamodb.eu-west-1.amazonaws.com
[INFO] 2018-09-12T09:37:25.89Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Starting new HTTPS connection (1): dynamodb.eu-west-1.amazonaws.com
[INFO] 2018-09-12T09:37:25.243Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Scan results of VpcTable: []
[INFO] 2018-09-12T09:37:25.290Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c PaGroup Info scan result with Fileter InUse=YES and VpcCount < 6 is: [{'N2Asn': '64828', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup58', 'InUse': 'YES', 'N1Asn': '64827'}, {'N2Asn': '64880', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup84', 'InUse': 'YES', 'N1Asn': '64879'}, {'N2Asn': '64770', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup29', 'N2Eip': '52.49.5.xxx', 'N1Mgmt': '10.166.0.83', 'StackRegion': 'eu-west-1', 'N2Mgmt': '10.166.0.110', 'N1Pip': '10.166.0.5', 'N2Pip': '10.166.0.55', 'InUse': 'YES', 'N1Asn': '64769', 'N1Eip': '34.250.189.xxx'}, {'N2Asn': '64834', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup61', 'InUse': 'YES', 'N1Asn': '64833'}, {'N2Asn': '64748', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup18', 'N2Eip': '34.254.31.xxx', 'N1Mgmt': '10.166.0.80', 'StackRegion': 'eu-west-1', 'N2Mgmt': '10.166.0.104', 'N1Pip': '10.166.0.15', 'N2Pip': '10.166.0.46', 'InUse': 'YES', 'N1Asn': '64747', 'N1Eip': '52.48.39.xxx'}, {'N2Asn': '64730', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup9', 'N2Eip': '34.246.247.xxx', 'N1Mgmt': '10.166.0.76', 'StackRegion': 'eu-west-1', 'N2Mgmt': '10.166.0.107', 'N1Pip': '10.166.0.25', 'N2Pip': '10.166.0.43', 'InUse': 'YES', 'N1Asn': '64729', 'N1Eip': '54.194.178.xxx'}, {'N2Asn': '64812', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup50', 'N2Eip': '52.215.174.xxx', 'N1Mgmt': '10.166.0.85', 'StackRegion': 'eu-west-1', 'N2Mgmt': '10.166.0.105', 'N1Pip': '10.166.0.29', 'N2Pip': '10.166.0.37', 'InUse': 'YES', 'N1Asn': '64811', 'N1Eip': '34.248.49.xxx'}, {'N2Asn': '64772', 'VpcCount': Decimal('0'), 'PaGroupName': 'PaGroup30', 'InUse': 'YES', 'N1Asn': '64771'}]
[INFO] 2018-09-12T09:37:25.308Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c PA-Groups are exausted, hence pushing the message back to Queue and passing control to CreateNewPaGroup function
[INFO] 2018-09-12T09:37:25.428Z c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c Starting new HTTPS connection (1): eu-west-1.queue.amazonaws.com
END RequestId: c2fe9d28-7cf5-47f0-8e8d-b2445a25a33c
Why do I get "PA-Groups are exausted" when I have no VPNs configured yet, I would expect this to happen when I reach the limit I have configured (6)?
Thankful for any help!
Br,
/J