https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/333993#M848 <P>I have a pair of VM-300 in a load balancer sandwich configuration in Azure. An internal load balancer is on the inside and handles outbound traffic. An external load balancer is on the outside and is intended for inbound traffic from internet.&nbsp; I can assign a public IP as the front end of the external load balancer. My first question - can a single external load balancer have multiple public IP front ends defined?</P><P>&nbsp;</P><P>My second question concerns how traffic flows from an internet client to one of my backend servers. This is my understanding - please correct me if i am wrong:</P><P>&nbsp;</P><P>The external interface of each of the two firewalls resides on a privately addressed subnet. Example: 10.1.1.0/24 with fw1 being 10.1.1.4 and fw2 being 10.1.1.5. Each firewall has a default route to internet via Azure gw ip 10.1.1.1</P><P>&nbsp;</P><P>The frontend of the ELB has a publicIP 13.75.1.1 described as 'webserver1'. It has a backend pool called webserver1-pool. The real backend webserver is 10.2.2.10. But that is not directly reachable from the LB. And we want the traffic to route via the firewalls.</P><P>&nbsp;</P><P>If i want the LB to forward traffic via the vm-300 pair, then the backend pool members would have to be addresses on subnet 10.1.1.0/24 yes? fw1 could have a secondary IP of 10.1.1.11 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.11 is destination natted to go to 10.2.2.10.</P><P>Similarly, fw2 could have a secondary IP of 10.1.1.12 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.12 is destination natted to go to 10.2.2.10.</P><P>Therefore the backend pool defined on the ELB would have members webserver1a 10.1.1.11 and webserver1b 10.1.1.12</P><P>&nbsp;</P><P>Would each firewall also have to source NAT the traffic so the real server's replies path correctly? Or will that just work?</P><P>Is there a cleaner way of doing this? having multiple NATs is a pain.&nbsp; having to use the firewall's external interface subnet for all NATs is also awkward.</P><P>&nbsp;</P> Thu, 18 Jun 2020 08:24:05 GMT JimMcGrady 2020-06-18T08:24:05Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/333993#M848 <P>I have a pair of VM-300 in a load balancer sandwich configuration in Azure. An internal load balancer is on the inside and handles outbound traffic. An external load balancer is on the outside and is intended for inbound traffic from internet.&nbsp; I can assign a public IP as the front end of the external load balancer. My first question - can a single external load balancer have multiple public IP front ends defined?</P><P>&nbsp;</P><P>My second question concerns how traffic flows from an internet client to one of my backend servers. This is my understanding - please correct me if i am wrong:</P><P>&nbsp;</P><P>The external interface of each of the two firewalls resides on a privately addressed subnet. Example: 10.1.1.0/24 with fw1 being 10.1.1.4 and fw2 being 10.1.1.5. Each firewall has a default route to internet via Azure gw ip 10.1.1.1</P><P>&nbsp;</P><P>The frontend of the ELB has a publicIP 13.75.1.1 described as 'webserver1'. It has a backend pool called webserver1-pool. The real backend webserver is 10.2.2.10. But that is not directly reachable from the LB. And we want the traffic to route via the firewalls.</P><P>&nbsp;</P><P>If i want the LB to forward traffic via the vm-300 pair, then the backend pool members would have to be addresses on subnet 10.1.1.0/24 yes? fw1 could have a secondary IP of 10.1.1.11 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.11 is destination natted to go to 10.2.2.10.</P><P>Similarly, fw2 could have a secondary IP of 10.1.1.12 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.12 is destination natted to go to 10.2.2.10.</P><P>Therefore the backend pool defined on the ELB would have members webserver1a 10.1.1.11 and webserver1b 10.1.1.12</P><P>&nbsp;</P><P>Would each firewall also have to source NAT the traffic so the real server's replies path correctly? Or will that just work?</P><P>Is there a cleaner way of doing this? having multiple NATs is a pain.&nbsp; having to use the firewall's external interface subnet for all NATs is also awkward.</P><P>&nbsp;</P> Thu, 18 Jun 2020 08:24:05 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/333993#M848 JimMcGrady 2020-06-18T08:24:05Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/334079#M850 <P>You are on the right track, you don't actually need secondary IPs of the Untrust interface.&nbsp; We typically use Port Address Translation.&nbsp; The Load Balancer Backend would be the firewall's Untrust Interface IP on a custom port such as 4431.&nbsp; The load balancer rule would then map the front end IP on the standard port to the backend pool on the non-standard port.&nbsp; The firewall performs both source and destination nat.&nbsp; The original packet is the non-standard port traffic arriving on ETH1/1, the translated packet sources from Interface Eth1/2 and the destination is the actual application on the proper port.&nbsp; We document this path in the reference architecture.</P><P><A href="https://www.paloaltonetworks.com/resources/reference-architectures/azure" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/azure</A></P><P>&nbsp;</P> Thu, 18 Jun 2020 14:51:26 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/334079#M850 jmeurer 2020-06-18T14:51:26Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/334248#M851 <P>Its my understanding that the Azure external load balancer cannot do port address translation. So i'd need to use an Azure application gateway to do that?</P><P>EDIT: I am incorrect. The standard load balancer can use a different port for the backend traffic:</P><P><A href="https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal" target="_blank">https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal</A></P> Fri, 19 Jun 2020 02:47:54 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/334248#M851 JimMcGrady 2020-06-19T02:47:54Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/542293#M1891 <P>Hi, sorry to ingite an old thread. I am on the same path as the original post right now. My question is - is there a better way compared to doing port address translation to let a client access multiple backend webservers via the Azure load balancer and the PA firewalls ? Asking the client to remember port numbers for multiple different backend webservers seem clumsy. Could I get multiple public IPs assigned to the Azure load balancer each NAT-ted to unique IPs for the backend Webservers but routed via the firewalls ? How would I need to configure the firewall for that ?&nbsp;Thanks</P> Tue, 16 May 2023 10:22:25 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-public-websites-via-palo-in-azure/m-p/542293#M1891 RintuBoro 2023-05-16T10:22:25Z