topic Re: AWS ELB one to one relationship with backend in VM-Series in the Public Cloud

AWS ELB one to one relationship with backend

PerryK — Thu, 12 Apr 2018 19:09:33 GMT

According to the documentation, if you don't have an ELB sandwich then there is a one to one relationship between the firewall and the back end server. I spoke to support and the answer was the fact that you can only have one ENI attached per subnet. My customer has an existing IAAS stack and wanted only 1 FW per AZ. But the proxy servers in the private subnet autoscale.

This does not appear possible. Can someone explain in more detail how this constraint works? Options would be to put an internal ELB

from the documentation

Re: AWS ELB one to one relationship with backend

BatD — Sat, 26 May 2018 12:28:54 GMT

I see that no one answered you question and I can try to help, but it is not quite clear what are you trying to do.

I am not sure where you had that from, but taken out of context both statements are not necessary correct. You can surely protect multiple webservers with a single firewall without using load balancer. Also strictly speaking you can have more than one ENI per subnet.

Re: AWS ELB one to one relationship with backend

jperry1 — Mon, 28 May 2018 17:12:36 GMT

We definitely need more context. You can have one ENI per subnet but in that subnet you can have multiple backend resources. So as @BatD referrenced you can secure multiple servers with a firewall. If you have multiple resources in multiple subnets and you would like to secure them via the firewall then you need to add more ENI's and configure multiple zones. the VM-Series can have up to 7 Dataplane interfaces + 1 the management interface depending on the machine type used in AWS

https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/set-up-the-vm-series-firewall-in-aws/review-system-requirements-and-limitations-for-vm-series-in-aws