https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/546523#M1915 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/295932">@KimSiah</a> ,</P> <P>I don't have experience with Global Accelerator, but when reading AWS docs it is basically an Anycast public address. Which if I could just simplify - traffic to the Global Accelerator IP will be "forwarded" to the ALB, but again over the Internet Gateway.</P> <P>I am assuming the anycast IP will use ALB public IP and for that will also need IGW to be deployed, which means same GWLBendpoint should be sufficient.</P> <P>&nbsp;</P> <P>I am curious if have tested it and what is the result.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 20 Jun 2023 15:08:39 GMT aleksandar.astardzhiev 2023-06-20T15:08:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/545937#M1910 <P>&nbsp;</P> <P>I have implemented a security service VPC using VM series and Gateway Load balancer. in the case where traffic is coming thru the IGW, I am able to route incoming traffic from IGW to security VPC for inspection and then back the application ALB.&nbsp;</P> <P>However, I am not sure how to do this if my ALB is connected to a Global Accelerator (when traffic does not pass thru IGW). where and how could I insert the GWLB endpoint ?</P> <P>The diagram to illustrate the connectivity</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KimSiah_1-1686721882301.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50910i08FCEF2C52182B58/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="KimSiah_1-1686721882301.png" alt="KimSiah_1-1686721882301.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please enlighten. Thanks.</P> <P>&nbsp;</P> <P>KS</P> Wed, 14 Jun 2023 05:53:33 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/545937#M1910 KimSiah 2023-06-14T05:53:33Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/546523#M1915 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/295932">@KimSiah</a> ,</P> <P>I don't have experience with Global Accelerator, but when reading AWS docs it is basically an Anycast public address. Which if I could just simplify - traffic to the Global Accelerator IP will be "forwarded" to the ALB, but again over the Internet Gateway.</P> <P>I am assuming the anycast IP will use ALB public IP and for that will also need IGW to be deployed, which means same GWLBendpoint should be sufficient.</P> <P>&nbsp;</P> <P>I am curious if have tested it and what is the result.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 20 Jun 2023 15:08:39 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/546523#M1915 aleksandar.astardzhiev 2023-06-20T15:08:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/559305#M1988 <P>GA does not send traffic via IGW, GA traffic is not even controlled by the VPC NACL. I have removed the GA, instead, I used a NLB in front of the ALB and made IGW send traffic for the NLB to the GWLB endpoint&nbsp;</P> Mon, 25 Sep 2023 08:13:38 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/how-to-add-a-firewall-for-alb-which-is-connected-to-global/m-p/559305#M1988 KimSiah 2023-09-25T08:13:38Z