https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-load-balancer-sandwich-outbound-traffic/m-p/223076#M370 <P><SPAN>With the jumpbox, you have to ensure it that it is in the NATGateway subnet, that is the only subnet that has an IGW for the EIPs to utilize.&nbsp; Additionally, there is a security group created by the template that allows ports 22/3389 for access to the jumpbox.&nbsp; If that SG was not used for the jumpbox, ensure that your jumpbox does have the proper SG applied.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>As for outbound, this template was not&nbsp;designed&nbsp;for protection of traffic originating within the VPC.&nbsp; You can choose to create a route for your application servers pointing to the Trust side of the firewall in the corresponding AZ and validate that ETH2 has Source/Destination check disabled.&nbsp; You will then need to add corresponding security and hide nat policies to allow the traffic.&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Please note that this creates a single point of failure within the VPC.&nbsp; In order to perform outbound inspection of traffic originating from within the VPC, utilization of a transit VPC or other automation to monitor the firewalls and move the routes is necessary.&nbsp; That is topic better suited for a discussion with your Palo Alto Networks SE.</SPAN></P> Fri, 20 Jul 2018 12:26:30 GMT jmeurer 2018-07-20T12:26:30Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-load-balancer-sandwich-outbound-traffic/m-p/222805#M369 <P>We have been trying to get the load balancer sandwich (<A href="https://github.com/PaloAltoNetworks/aws-alb-sandwich" target="_blank">https://github.com/PaloAltoNetworks/aws-alb-sandwich</A>) working but have had little success. Has anyone been successful?</P><P>&nbsp;</P><P>First of all, we can't figure out how to send outbound traffic through the firewalls. An internal, outbound-facing load balancer should do the trick, but it seems a requirement to configured each TCP port needed for Internet connectivity. Is there another way to get this done?</P><P>&nbsp;</P><P>After we (finally, after several tries) got a CF stack to complete successfully, we could never connect to our jump box. We would rather put an elastic IP on the MGMT interfaces and get the firewalls configured - then configured access through the firewalls to the jump box. We couldn't get into either the firewalls or jump box - connections just timed out.</P><P>&nbsp;</P><P>Thank you for any suggestions.</P> Wed, 18 Jul 2018 18:21:27 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-load-balancer-sandwich-outbound-traffic/m-p/222805#M369 JakeRocus 2018-07-18T18:21:27Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-load-balancer-sandwich-outbound-traffic/m-p/223076#M370 <P><SPAN>With the jumpbox, you have to ensure it that it is in the NATGateway subnet, that is the only subnet that has an IGW for the EIPs to utilize.&nbsp; Additionally, there is a security group created by the template that allows ports 22/3389 for access to the jumpbox.&nbsp; If that SG was not used for the jumpbox, ensure that your jumpbox does have the proper SG applied.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>As for outbound, this template was not&nbsp;designed&nbsp;for protection of traffic originating within the VPC.&nbsp; You can choose to create a route for your application servers pointing to the Trust side of the firewall in the corresponding AZ and validate that ETH2 has Source/Destination check disabled.&nbsp; You will then need to add corresponding security and hide nat policies to allow the traffic.&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Please note that this creates a single point of failure within the VPC.&nbsp; In order to perform outbound inspection of traffic originating from within the VPC, utilization of a transit VPC or other automation to monitor the firewalls and move the routes is necessary.&nbsp; That is topic better suited for a discussion with your Palo Alto Networks SE.</SPAN></P> Fri, 20 Jul 2018 12:26:30 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-load-balancer-sandwich-outbound-traffic/m-p/223076#M370 jmeurer 2018-07-20T12:26:30Z