How to architect Virtual PANs with AWS ELBs

Reply
Highlighted
L0 Member

How to architect Virtual PANs with AWS ELBs

We're at the initial stages of architecting our AWS environment and are considering using PANs to secure North/South traffic. The problem I am running into is the network design of how to get traffic to flow through the virtual PANs from the internet on their way to the front end web servers. The difficulty we're having is ELBs (Elastic Load Balancers) use both dynamic external and internal IP addresses. DNS for your site is directed to the ELB IPs by CNAMEs AWS controls. Because AWS PANs only support Layer 3 routing I'm not sure the best way to insert the PAN between the dynamically changing ELBs and the front ends. The design of course has to account for multiple AZs (availability zones) and we'd plan on having a PAN in each AZ. Has anyone setup a PAN, or any network AMI, behind an ELB before and how did you architect it? ~ Jason

Good article expalining how AWS's ELB works: http://aws.amazon.com/articles/1636185810492479

L0 Member

Re: How to architect Virtual PANs with AWS ELBs

Did you figure this out? I am trying to figure out how to put my Aws palo box in front of an elb right now..

L3 Networker

Re: How to architect Virtual PANs with AWS ELBs

I know this is old but I felt that some type of reply should be made.

 

I'm dealing with the same issue for a client with the only difference being they have multiple ELBs to deal with.  I started a new post hoping that would help get a response.  Here's the link:  https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288

 

Anyway, I brainstormed with other PAN engineers and it just isn't viable at this time.  Hopefully as Amazon adds features to ELB and Palo Alto continues their development of the product it will become viable.  Here's the issues we discussed:

 

1. The Palo Alto VM is limited to 1Gb throughput.  I don't see this being any different for any other vendor because its limited to IO, vCPU & vRAM provided to any AMI.  The point behind ELB and especially auto scaling is performance (& fault tolerance).  The AMI becomes a bottleneck.

 

2. You've created a single point of failure.  Traffic has to go through a single ENI on the firewall.

 

3. Auto-scaling.  The firewall would need to dynamically create new NATs every time a new instance is spun up and everything that goes along with that.

 

From an architecture standpoint, if you put the firewall in front the of ELB (use an internal ELB instead of Internet ELB) that would solve some issues but you still have the bandwidth/performance issues to deal with.

 

Matt

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!