topic Re: Zero trust in AWS issue with ALB in VM-Series in the Public Cloud

Zero trust in AWS issue with ALB

nelsonc0 — Thu, 10 Mar 2022 14:41:52 GMT

We are trying to implement a zero trust environment inside our AWS cloud. We are using a transit gateway deployment, and have all traffic going through a secuirty vpc which houses a pair of PA-VM's. These firewalls are reached by the other VPC's through GWLB's. Because of this architecture when we are allowing inbound web traffic to our ALB's we actually create a rule using the private ip addresses of the ALB's. The issue is the dynamic nature of the ALB these internal IP's change periodically, which in turn invalidates our inbound rules. I have seen some workarounds using NLB, or through Global Accelerator. Neither of these however will keep the private ip of the ALB from changing. I was hoping to use the dynamic group function, but it seems to only be able to pull in EC2's, and not LB's. With zero trust being all the rage how is this not supported? What am I missing.

Re: Zero trust in AWS issue with ALB

nelsonc0 — Fri, 11 Mar 2022 16:15:36 GMT

Bumping this up, can't believe nobody else has this issue?

Re: Zero trust in AWS issue with ALB

aleksandar.astardzhiev — Thu, 16 Jun 2022 11:55:22 GMT

Hi @nelsonc0 ,

Hope you have managed to solve your problem if not, please check which version of AWS plugin for Panorama are you using.

According to the documentations version 3.0.0 have introduced the support for ALB, NLB and ENI monitoring - https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-aws/aws-plugin-300/whats-new-in-panorama-plugin-for-aws-300#id3986df9a-770d-4c6a-9b91-40f747b6b2e8_id2df12a35-527c-4402-a56a-f4b4b224a6bf