>
    Strata Copilot
    Associate a VPC Endpoint with a VM-Series Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on AWS
    4. VM-Series Integration with an AWS Gateway Load Balancer
    5. Associate a VPC Endpoint with a VM-Series Interface
    Download PDF
    VM-Series

    Associate a VPC Endpoint with a VM-Series Interface

    Table of Contents

    Associate a VPC Endpoint with a VM-Series Interface

    Associate one or more VPC endpoints with an interface or subinterface of the VM-Series firewall
    Where Can I Use This?What Do I Need?
    • AWS
    • AWS account
    • Amazon Machine Image (AMI) ID
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for AWS
    You can associate one or more VPC endpoints with an interface or subinterface of the VM-Series firewall. You can provide consistent policy enforcement by associating all the endpoints in a single VPC to the same subinterface on the firewall. Or, if your deployment has VPCs with overlapping IP address, you can associate endpoints in different VPCs with different subinterfaces for differentiated policy enforcement.
    Associating a VPC to an interface or subinterface is not mandatory to integrate the VM-Series firewall with a GWLB.
    You can configure interfaces and associate a VPC with firewall interfaces using the following methods:
    • Include the interface configuration in your bootstrap.xml file and the association commands as part of the init-cfg.txt file or AWS user-data.
    • After deploying the firewall, manually configure your interfaces and use the firewall CLI to associate your VPCs with interfaces.
    You can associate multiple VPC endpoints to a single interface on the VM-Series firewall. However, you must associate each VPC endpoint individually. For example, to associate VPC endpoint 1 and VPC endpoint 2 with subinterface ethernet1/1.2, you must execute the association command separately for each VPC endpoint.
    The table below describes the commands used to associate a VPC with an interface. You can include the operation command in your init-cfg.txt file or in the AWS user-data.
    Bootstrap ParameterCLI CommandDescription
    plugin-op-commands=
    aws-gwlb-associate-vpce:<vpce-id>@ethernet<subinterface>
    request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>
    Associates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
    request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>
    Disassociates a VPC endpoint with an interface or subinterface on the firewall. The specified interface is assigned to a security zone.
    show plugins vm_series aws gwlb
    Displays the operating state of the firewall as it relates to your GWLB deployment. It does not display the firewall configuration.
    For example, if you configure an association to an interface that does not exist, that association is configured but not part of the operating state. Therefore, it is not displayed.
    When associating a VPC endpoint using the bootstrapping init-cfg.txt file or AWS user-date, you can list multiple interfaces or subinterfaces together. All the commands must be on a single line in a comma-separated list with no spaces as shown in the following example.
    plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-associate-vpce:vpce-0913731043b5c0ebc@ethernet1/1.1,aws-gwlb-associate-vpce:vpce-08207ccb4cb23a1de@ethernet1/1.1,aws-gwlb-associate-vpce:vpce-07b66cca88821d6e1@ethernet1/1.2,aws-gwlb-associate-vpce:vpce-0a9a583fdb928492b@ethernet1/1.3
    If you are using subinterfaces to separate traffic, create a subinterface for each VPC and associate it to a VPC.
    1. Configure the subinterface.
      1. Log in to the firewall web interface.
      2. Select NetworkInterface.
      3. Highlight ethernet1/1 and click Add Subinterface.
      4. Enter a numerical suffix (1-9,999) to identify the subinterface.
      5. Enter a VLAN Tag (1 to 4,094) for the subinterface. This field is required but the VLAN is not used.
      6. Select Virtual Router as default.
      7. Select a Security Zone.
      8. On the IPv4 tab, set the Type to DHCP Client.
      9. Click OK.
      10. Repeat this command for each VPC endpoint.
    2. Associate the interface with a VPC endpoint.
      1. Log in to the firewall CLI.
      2. Execute the following command:
        request plugins vm_series aws gwlb associate vpc-endpoint <vpce-id> interface <subinterface>
        For example:
        request plugins vm_series aws gwlb associate vpc-endpoint vpce-02c4e6g8ha97h7e39 interface ethernet1/1.4
        You can locate the VPC endpoint ID in the AWS console.
      3. Repeat this command for each interface and VPC endpoint association.
    3. Verify your interface to VPC endpoint associations.
      show plugins vm_series aws gwlb
      GWLB enabled:      True
Overlay Routing:  False
-------------------------------------------------------------
VPC endpoint                    Interface
--------------------------------------------------------------
vpce-0aeb1a919bd4ae609           ethernet1/1.1
vpce-0294375bfe413f04a           ethernet1/1.2
    4. If necessary, you can use the following command to disassociate a VPC endpoint from an interface.
      request plugins vm_series aws gwlb disassociate vpc-endpoint <vpce-id> interface <subinterface>

    © 2026 Palo Alto Networks, Inc. All rights reserved.