topic Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan in VM-Series in the Public Cloud

Looking for a recommendation for Azure "internal Load balancer" when using PA redundant Firewalls

alosty — Wed, 23 Aug 2017 15:01:57 GMT

Hi, I have deployed redundant PA Firewalls with the internal Azure load balancer to provide resiliance - thos is working however the "internal load balancer has significant limitations.

I am looking to see if anyone has any recommendations for 3rd party load balancer (taking into account cost and operation in this environment)

The limitations of the free Azure load balancer are as far as I can see

a. a limitation of a maximum 250 ports

b. no support for port ranges - therefore each port to be foirwarded bust be statically defined

Any pointers/recommendations would be greatly appreciated

Thanks

Andrew

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

robmaas — Thu, 31 Aug 2017 12:48:45 GMT

Due to the nature of Azure networking, another loadbalancer won't probably fix this problem.
When using another LB solution and making this HA, you probably going to need a Azure Internal LB.

See this reference documentation: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/nva-ha

I created a feature request at MS, you can upvote.
https://feedback.azure.com/forums/217313-networking/suggestions/31116808-loadbalancer-multiple-ports-in-one-frontend-rule

A (dirty) work-around can be using multiple internal loadbalancer, as far as the client doesn't use over 150 ports (the limit is actually 150).

Unfortunately no (real) solution, but hopefully it will clear things up.

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

michelvankessel — Thu, 31 Aug 2017 13:22:43 GMT

Thanks Rob! Just upvoted it several times 😉 Let's hope M$ is going to listen this time. This has been a feature request since 2013 and isput on the feature backlog since november 2016

https://feedback.azure.com/forums/217313-networking/suggestions/4338247-endpoints-can-accept-a-port-range-instead-of-ente

Regards

Michel van Kessel

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

JohnUrbanek — Thu, 28 Sep 2017 14:36:41 GMT

As of September 2017 Azure Load Balancer HA Ports capability is in preview. Allows the use of 0 for port number and All for protocol type which is shorthand for all ports, all protocols -- very useful for forwarding all traffic hitting the load balancer VIP to the back-end VM-series pool members (for both inbound and outbound use cases) -- in a single load balancer rule.

Before HA Ports capability hits GA, request access to it (link above) and mind the regions where it is available.

-John

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

junior_r — Sun, 10 Dec 2017 21:50:25 GMT

Hi,

When using multiple PA firewalls on Azure how are you syncing the polices? Also for IPSEC are you terminated on PA or on Azure

VPN gateway?

Thanks

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

Warby — Sun, 10 Dec 2017 22:45:29 GMT

Hello,

The easiest way to synchronize polices on multiple Palo Alto Networks firewalls is to use Panorama (our management station) to push policy. This works for all of our physical and virtual firewalls. Config elements can be shared or completely independant by device groups.

Another option is to use a thrid party tool like Ansible to push configs to multiple firewalls. We have some sample Ansible plabooks available: https://live.paloaltonetworks.com/t5/Ansible/ct-p/Ansible

The VM-Series firewalls can terminate IPsec tunnels very well. The decision to use the VM-Series versus the Azure VPN gateways should be based on the architecture, routing, performance, etc.

HTH,

Warby

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

junior_r — Mon, 11 Dec 2017 03:30:41 GMT

@Warby wrote:
Hello,

The easiest way to synchronize polices on multiple Palo Alto Networks firewalls is to use Panorama (our management station) to push policy. This works for all of our physical and virtual firewalls. Config elements can be shared or completely independant by device groups.

Another option is to use a thrid party tool like Ansible to push configs to multiple firewalls. We have some sample Ansible plabooks available: https://live.paloaltonetworks.com/t5/Ansible/ct-p/Ansible

The VM-Series firewalls can terminate IPsec tunnels very well. The decision to use the VM-Series versus the Azure VPN gateways should be based on the architecture, routing, performance, etc.

HTH,

Warby

Hi Warby,

Thanks for the reply the client don’t have Panorama. I guess I will explore the Ansible playbook route. If I have multiple FWs on Azure how would I create the IPSEC tunnel from high level? Wouldn't External LB Break the IPSEC tunnel? I could use multiple public IPs and tunnel monitor but that would mean only one tunnel will be up at a time. Also what is the performance impact of PAN IPSEC tunnel VS Azure VPN Gateway? What about Global Protect? Would it work with External LB? Would you assign two GP pools? One for FW1 and one for FW2 so the destinations know which firewall to return traffic to?

Thanks

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

junior_r — Tue, 12 Dec 2017 13:32:41 GMT

Hi,

Anyone?

Thanks

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

robmaas — Tue, 12 Dec 2017 17:10:25 GMT

@junior_r wrote:
@Warby wrote:
Hello,

The easiest way to synchronize polices on multiple Palo Alto Networks firewalls is to use Panorama (our management station) to push policy. This works for all of our physical and virtual firewalls. Config elements can be shared or completely independant by device groups.

Another option is to use a thrid party tool like Ansible to push configs to multiple firewalls. We have some sample Ansible plabooks available: https://live.paloaltonetworks.com/t5/Ansible/ct-p/Ansible

The VM-Series firewalls can terminate IPsec tunnels very well. The decision to use the VM-Series versus the Azure VPN gateways should be based on the architecture, routing, performance, etc.

HTH,

Warby

Hi Warby,

Thanks for the reply the client don’t have Panorama. I guess I will explore the Ansible playbook route. If I have multiple FWs on Azure how would I create the IPSEC tunnel from high level? Wouldn't External LB Break the IPSEC tunnel? I could use multiple public IPs and tunnel monitor but that would mean only one tunnel will be up at a time. Also what is the performance impact of PAN IPSEC tunnel VS Azure VPN Gateway? What about Global Protect? Would it work with External LB? Would you assign two GP pools? One for FW1 and one for FW2 so the destinations know which firewall to return traffic to?

Thanks

I would connect the IPSEC tunnel(s) directly on the firewalls. If you have multiple firewalls within Azure, with the same back-end, you can use OSPF and ECMP to utilize both tunnels.

For GP I would use the same approach and terminate the GP GW directly on the firewall and only put the GP Portal behind the LB.

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

junior_r — Tue, 12 Dec 2017 18:12:11 GMT

ECMP should return traffic on same tunnel correct? How wouldn't the GP gateway need to be behind LB to?

Thanks

Re: Looking for a recommendation for Azure "internal Load balancer" when using PA redundan

robmaas — Fri, 22 Dec 2017 17:50:16 GMT

The Portal will inform the client of the available gateways.

The client will then connect with one of the available gateways, therefore Azure LB is not necessary for this to work.