https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/69532#M40320 <P>I know this is old but I felt that some type of reply should be made.</P> <P>&nbsp;</P> <P>I'm dealing with the same issue for a client with the only difference being they have multiple ELBs to deal with.&nbsp; I started a new post hoping that would help get a response.&nbsp; Here's the link:&nbsp; <A href="https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288</A></P> <P>&nbsp;</P> <P>Anyway, I brainstormed with other PAN engineers and it just isn't viable at this time.&nbsp; Hopefully as Amazon adds features to ELB and Palo Alto continues their development of the product it will become viable.&nbsp; Here's the issues we discussed:</P> <P>&nbsp;</P> <P>1. The Palo Alto VM is limited to 1Gb throughput.&nbsp; I don't see this being any different for any other vendor because its limited to IO, vCPU &amp; vRAM provided to any AMI.&nbsp; The point behind ELB and especially auto scaling is performance (&amp; fault tolerance).&nbsp; The AMI becomes a bottleneck.</P> <P>&nbsp;</P> <P>2. You've created a single point of failure.&nbsp; Traffic has to go through a single ENI on the firewall.</P> <P>&nbsp;</P> <P>3. Auto-scaling.&nbsp; The firewall would need to dynamically create new NATs every time a new instance is spun up and everything that goes along with that.</P> <P>&nbsp;</P> <P>From an architecture standpoint, if you put the firewall in front the of ELB (use an internal ELB instead of Internet ELB) that would solve some issues but you still have the bandwidth/performance issues to deal with.</P> <P>&nbsp;</P> <P>Matt</P> Wed, 16 Dec 2015 05:06:31 GMT CafNetMatt 2015-12-16T05:06:31Z https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/37992#M27812 <HTML><HEAD></HEAD><BODY><P>We're at the initial stages of architecting our AWS environment and are considering using PANs to secure North/South traffic. The problem I am running into is the network design of how to get traffic to flow through the virtual PANs from the internet on their way to the front end web servers. The difficulty we're having is ELBs (Elastic Load Balancers) use both dynamic external and internal IP addresses. DNS for your site is directed to the ELB IPs by CNAMEs AWS controls. Because AWS PANs only support Layer 3 routing I'm not sure the best way to insert the PAN between the dynamically changing ELBs and the front ends. The design of course has to account for multiple AZs (availability zones) and we'd plan on having a PAN in each AZ. Has anyone setup a PAN, or any network AMI, behind an ELB before and how did you architect it? ~ Jason</P><P></P><P><SPAN>Good article expalining how AWS's ELB works: </SPAN><A class="jive-link-external-small" href="http://aws.amazon.com/articles/1636185810492479" rel="nofollow">http://aws.amazon.com/articles/1636185810492479</A></P></BODY></HTML> Fri, 27 Feb 2015 18:47:24 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/37992#M27812 jjavier 2015-02-27T18:47:24Z https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/37993#M27813 <HTML><HEAD></HEAD><BODY><P>Did you figure this out? I am trying to figure out how to put my Aws palo box in front of an elb right now..</P></BODY></HTML> Wed, 15 Apr 2015 01:04:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/37993#M27813 UmslMark 2015-04-15T01:04:45Z https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/69532#M40320 <P>I know this is old but I felt that some type of reply should be made.</P> <P>&nbsp;</P> <P>I'm dealing with the same issue for a client with the only difference being they have multiple ELBs to deal with.&nbsp; I started a new post hoping that would help get a response.&nbsp; Here's the link:&nbsp; <A href="https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288</A></P> <P>&nbsp;</P> <P>Anyway, I brainstormed with other PAN engineers and it just isn't viable at this time.&nbsp; Hopefully as Amazon adds features to ELB and Palo Alto continues their development of the product it will become viable.&nbsp; Here's the issues we discussed:</P> <P>&nbsp;</P> <P>1. The Palo Alto VM is limited to 1Gb throughput.&nbsp; I don't see this being any different for any other vendor because its limited to IO, vCPU &amp; vRAM provided to any AMI.&nbsp; The point behind ELB and especially auto scaling is performance (&amp; fault tolerance).&nbsp; The AMI becomes a bottleneck.</P> <P>&nbsp;</P> <P>2. You've created a single point of failure.&nbsp; Traffic has to go through a single ENI on the firewall.</P> <P>&nbsp;</P> <P>3. Auto-scaling.&nbsp; The firewall would need to dynamically create new NATs every time a new instance is spun up and everything that goes along with that.</P> <P>&nbsp;</P> <P>From an architecture standpoint, if you put the firewall in front the of ELB (use an internal ELB instead of Internet ELB) that would solve some issues but you still have the bandwidth/performance issues to deal with.</P> <P>&nbsp;</P> <P>Matt</P> Wed, 16 Dec 2015 05:06:31 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-architect-virtual-pans-with-aws-elbs/m-p/69532#M40320 CafNetMatt 2015-12-16T05:06:31Z