https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/298618#M711 <P>Hello,</P><P>&nbsp;</P><P>I was investigating this issue. my problem is that I need cross AZ .&nbsp; VPN+NAT</P><P>&nbsp;</P><P>AWS speaking, I could move the EIP of the Trust interface to an ENI on another AZ. And then, update the route tables pointing to the second ENI. This will be with some downtime, which is acceptable as this is based on AZ failure, the other system behind my nat need to recover as well.</P><P>&nbsp;</P><P>On paper, looks good. I'm wondering if there's a way to know with an external tool about the failure and initiate the failover process? and when the route is considered being down? no more ping? how about the WAN down and not the router?</P><P>&nbsp;</P><P>Thanks</P> Thu, 14 Nov 2019 18:24:33 GMT nronica 2019-11-14T18:24:33Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/153672#M40 <P>For background, here is the scenario:</P><P>&nbsp;</P><P>Initially we were looking at a high availability setup with 2 VM appliances, however, there is a restriction to a single AZ in that approach because of how the “floating IP / ENI” works.</P><P>&nbsp;</P><P>However, this environment will span multiple AZ’s for redundancy and there is a published Palo Alto video on how they do this: <A href="https://www.youtube.com/watch?time_continue=130&amp;v=xiPZHzdNRmI" target="_blank">https://www.youtube.com/watch?time_continue=130&amp;v=xiPZHzdNRmI</A></P><P>&nbsp;</P><P>I’m re-watching it again, but based on my setup of the initial PA devices here is what I think I’m seeing:</P><P>&nbsp;</P><UL><LI>It looks like the configuration is being sync’d not through native PA HA config sync features, but through the cloud formation (CF) template and scripting</LI><LI>It looks like they may be using CF to set the necessary AWS routing to support egress filtering</LI></UL><P>&nbsp;</P><P>I just want to confirm this is the case so we roughly have an understanding of how we’ll how to build this out.</P><P>&nbsp;</P><P>Thanks,</P> Fri, 21 Apr 2017 18:18:27 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/153672#M40 nrobison 2017-04-21T18:18:27Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/153675#M41 <P>Hello,</P><P>&nbsp;</P><P>You are correct, our PAN-OS stateful failover solution requires an interface move which cannot happen between subnets and subnets do not span AZs.</P><P><BR />For AZ redundancy, we recommend the load balancer sandwhich covered in the video you referenced. &nbsp;It doesn't track state between AZs but AZ failure is very rare and session restablishment for web based applications is usually transparent for the user.</P><P>&nbsp;</P><P>Make sure you are using the latest template for the auto scaling solution:&nbsp;<A href="https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2" target="_blank">https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2</A></P><P>&nbsp;</P><P>HTH,</P><P><BR />Warby</P> Fri, 21 Apr 2017 18:29:39 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/153675#M41 Warby 2017-04-21T18:29:39Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/298618#M711 <P>Hello,</P><P>&nbsp;</P><P>I was investigating this issue. my problem is that I need cross AZ .&nbsp; VPN+NAT</P><P>&nbsp;</P><P>AWS speaking, I could move the EIP of the Trust interface to an ENI on another AZ. And then, update the route tables pointing to the second ENI. This will be with some downtime, which is acceptable as this is based on AZ failure, the other system behind my nat need to recover as well.</P><P>&nbsp;</P><P>On paper, looks good. I'm wondering if there's a way to know with an external tool about the failure and initiate the failover process? and when the route is considered being down? no more ping? how about the WAN down and not the router?</P><P>&nbsp;</P><P>Thanks</P> Thu, 14 Nov 2019 18:24:33 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/298618#M711 nronica 2019-11-14T18:24:33Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/298641#M712 <P>Please have a look at our reference architecture for AWS.</P><P><A href="https://www.paloaltonetworks.com/resources/guides/intelligent-architectures-aws-reference-architecture" target="_blank">https://www.paloaltonetworks.com/resources/guides/intelligent-architectures-aws-reference-architecture</A></P><P>&nbsp;</P><P>We have several approaches to Fault Tolerance, most recently including the Transit Gateway.</P> Thu, 14 Nov 2019 18:46:24 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-availability-zones/m-p/298641#M712 jmeurer 2019-11-14T18:46:24Z