topic Re: Auto Scaling the VM-Series on AWS feature in VM-Series in the Public Cloud

Auto Scaling the VM-Series on AWS feature

8kmiles — Thu, 09 Aug 2018 04:50:53 GMT

I would like to know if Auto Scaling the VM-Series on AWS feature and load balancing feature is supporting for non-http/https traffic or not?

Traffic flow:-

NLB-->Auto Scaling the VM-Series-->backend server

Re: Auto Scaling the VM-Series on AWS feature

jmeurer — Thu, 09 Aug 2018 14:10:29 GMT

Yes, you can deploy our V2.0 Autoscaling template from GitHub, you will have an ALB externally with an autoscale group (ASG) for the firewall. You can then manually create the NLB with a Target Group pointing to the firewall. You would then update the ASG with the new target group. Any autoscaling events that occur will add or remove the firewall from the NLB's target group.

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

Re: Auto Scaling the VM-Series on AWS feature

hsong — Thu, 09 Aug 2018 14:31:19 GMT

So, Is it basically replacing the external ALB from V.2 autoscalling template with manually built NLB?

Re: Auto Scaling the VM-Series on AWS feature

jmeurer — Thu, 09 Aug 2018 14:59:00 GMT

I would set it up in parallel, there are some other automations that you could impact by deleting the ALB entirely. You can delete the Listener rule so it does not handle any traffic.

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Fri, 10 Aug 2018 05:31:28 GMT

I have already deployed V2.0 Autoscaling template from GitHub for http/https traffic.

ALB--->Auto-Scale Palo Alto firewall --->NLB--->Backend Server

But now my requirement is for non-http/https traffic whether Autoscaling features will support or not? If yes can you just let me know how to deploy or any template need to use.

Proposed Traffic flow:-

NLB--->Auto-Scale Palo Alto firewall--->Backend server

NLB--->Auto-Scale Palo Alto firewall--->NLB-->Backend server

Re: Auto Scaling the VM-Series on AWS feature

jmeurer — Fri, 10 Aug 2018 12:50:09 GMT

Either of the proposed flow will work, it just depends on if you need LB in front of your backend servers.

As for what to change.

1. Create the front door NLB.

2. Add the Firewall Untrust side to the Target Group of the newly created NLB.

3. Add the newly created Target Group to the "Target Groups" field on the Details tab of the Firewall Autoscale Groups created by the ALB CFT.

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Tue, 14 Aug 2018 05:35:41 GMT

Done the same thing but getting as "None of these Availability Zones contains a healthy target. Requests are being routed to all targets."

1. Created NLB in frontdoor and backend.

2. Deployed the VM-Series Auto Scaling Template for AWS (v2.0)

3. Remove the listener rules in ALB.

4. Frontdoor NLB has routed to Auto Scaling group.

5. Backend NLB routed to backend target group.

6. Tested from Internal backend NLB to backed target gorup which is working perfectly.

What i found is that from Auto scaling group to backend NLB integration which i stuck. How to do that? and why unhealthy status is showing due to Auto scaling group to backend NLB integration or some other reason?

Traffic Flow:-

NLB-->VM-Series Auto Scaling-->NLB-->Target Group backend server

Thanks

Re: Auto Scaling the VM-Series on AWS feature

jmeurer — Tue, 14 Aug 2018 12:48:30 GMT

Did you create a Security policy allowing the traffic and a corresponding NAT rule to map the traffic to the internal NLB? The NLB sends the health probes on the port that the backend servers are configured on unless you have overridden that port.

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Wed, 15 Aug 2018 12:36:35 GMT

Finally, it works for me after configured Destination NAT and Security Policy, Swapping mgmt interface in one of the Auto Scaling Palo Alto instance.

But this won’t full fill our expectation by mixing template and manual configuration, which is not compatibility with each other.

Because there are many things we need to change during scaling in and out.

Like I’m giving one example below:

Whenever scaling in will happened we have to register those scaling in instance to the front door NLB listener rules to be working. So in real time in production environment its not possible to monitor when scaling will happened and we will have to add it immediately.

Manually both NLB can be configured but not auto scaling features of palo alto firewall.

Is there any Template is availble for end to end solution i.e External NLB-->Auto Scalaing Palo Alto-->Internal NLB

or in coming future it will be release.

That will be more usefull for everyone for deploying in Prod environment.

Thanks,

Re: Auto Scaling the VM-Series on AWS feature

jmeurer — Wed, 15 Aug 2018 13:43:40 GMT

The final bits that you have encountered are possible with modification to Lambda code and either an update to the bootstrap file or integration with panorama.

Your first example of a scale in/out events registering with the NLB is my early point of adding the NLB's target group to the Firewall's autoscale group.

The piece that you will need to incorporate into your environment is the addition of the security and NAT policy for the NLB. That is where either addition to the bootstrap or integration with a Panorama Template come into play.

Our PS and Partner community can assist with formalizing a solution for you. I would suggest reaching out to your SE for an introduction.

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Fri, 17 Aug 2018 04:02:34 GMT

To Manage all those firewall instance Panorama is required. So i deployed the Panorama but here the question comes how to configure NAT rules in Panorama which will push to all the Palo Alto instances.

Earlier i tried it with one instance and manual i put destination NAT and it works, But in Panoroma how to do it and how it will applicable for all new instance which will create in scaling in time.

Thanks,

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Fri, 17 Aug 2018 05:44:45 GMT

Earlier i tried it with one instance and manual i put destination NAT and it works, But in Panoroma how to do it and how it will applicable for all new instance which will create in scaling in time.

Thanks,

Re: Auto Scaling the VM-Series on AWS feature

8kmiles — Mon, 20 Aug 2018 06:41:44 GMT

Hi,

I'm able to deploy panorama to manage all the instance's when scaling in happened.

In Panorama configured the device group and assigned the template stack name which i deployed.

Also checked connectivity is fine by doing ping test from panorama. But still insatnce's are not updating automatically to Panorama.

Could you please help on this.

Thanks,