Security VPCs for Palo firewalls

Creates a VPC for the PA firewalls, consisting of two AZs, each with a public and a management VPC. In the interest of keeping security VPCs clean, this has a fewer VPC endpoints. The Palo Altos should not need them.

These VPCs are NOT connected to the transit gateways. Instead, the Palo Alto creates a VPN connection to the TGW.