https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300946#M723 <P>Are you using FQDN DNAT objects for NLB and ALB?&nbsp; ALB IP addresses change more frequently which is why I mention the static configuration of the DNS servers.&nbsp; Feel free to post your Route Table from the firewall for review.&nbsp;&nbsp;</P><P>&nbsp;</P> Wed, 27 Nov 2019 04:15:15 GMT jmeurer 2019-11-27T04:15:15Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300911#M719 <P>Configuration in AWS<BR />External ALB -&gt; VM-series 300 (in 2 AZ) -&gt; Internal ALB -&gt;webserver<BR />The target group of the external ALB shows unhealthy for port http/80&nbsp;</P><P>&nbsp;</P><P>External NLB -&gt;VM-series 300&nbsp; (in 2 AZ)-&gt; Internal NLB -&gt; webserver<BR />The target group of the external NLB shows healthy for port tcp/80 consistently&nbsp;</P><P>&nbsp;</P><P>Why is the external ALB target group showing unhealthy ? randomly it goes healthy and then toggles&nbsp;</P><P>Security Groups are open to all on the untrusted interface.</P><P>&nbsp;</P> Wed, 27 Nov 2019 00:38:08 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300911#M719 SatishNair 2019-11-27T00:38:08Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300935#M721 <P>Watch your routes on the firewall.&nbsp; The ALB fires its health probes cross zone.&nbsp; If you are using DHCP on your interfaces, ensure that <U>only</U> your Untrust interface is configured to import the Default route.&nbsp; You will then want to put a static route for any internal subnets that are not directly connected to your Trust interface subnet pointing to the first IP of your trust subnet.</P><P>&nbsp;</P><P>Additionally, change your management interface a static DNS server set to the second IP address of the VPC CIDR.&nbsp; We had an issue in older versions of 8.1 where we were not importing the DHCP assigned DNS server.</P> Wed, 27 Nov 2019 01:09:55 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300935#M721 jmeurer 2019-11-27T01:09:55Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300942#M722 <P>The addresses are static and the default routes are correct. We use the transit gateway to connect to other accounts. In addition using an NLB in a sandwich mode works without issues.</P> Wed, 27 Nov 2019 04:00:10 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300942#M722 SatishNair 2019-11-27T04:00:10Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300946#M723 <P>Are you using FQDN DNAT objects for NLB and ALB?&nbsp; ALB IP addresses change more frequently which is why I mention the static configuration of the DNS servers.&nbsp; Feel free to post your Route Table from the firewall for review.&nbsp;&nbsp;</P><P>&nbsp;</P> Wed, 27 Nov 2019 04:15:15 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-alb-alb-sandwich-issue-with-target-group-showing-firewalls/m-p/300946#M723 jmeurer 2019-11-27T04:15:15Z