We're at the initial stages of architecting our AWS environment and are considering using PANs to secure North/South traffic. The problem I am running into is the network design of how to get traffic to flow through the virtual PANs from the internet on their way to the front end web servers. The difficulty we're having is ELBs (Elastic Load Balancers) use both dynamic external and internal IP addresses. DNS for your site is directed to the ELB IPs by CNAMEs AWS controls. Because AWS PANs only support Layer 3 routing I'm not sure the best way to insert the PAN between the dynamically changing ELBs and the front ends. The design of course has to account for multiple AZs (availability zones) and we'd plan on having a PAN in each AZ. Has anyone setup a PAN, or any network AMI, behind an ELB before and how did you architect it? ~ Jason
Good article expalining how AWS's ELB works: http://aws.amazon.com/articles/1636185810492479
I know this is old but I felt that some type of reply should be made.
I'm dealing with the same issue for a client with the only difference being they have multiple ELBs to deal with. I started a new post hoping that would help get a response. Here's the link: https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288
Anyway, I brainstormed with other PAN engineers and it just isn't viable at this time. Hopefully as Amazon adds features to ELB and Palo Alto continues their development of the product it will become viable. Here's the issues we discussed:
1. The Palo Alto VM is limited to 1Gb throughput. I don't see this being any different for any other vendor because its limited to IO, vCPU & vRAM provided to any AMI. The point behind ELB and especially auto scaling is performance (& fault tolerance). The AMI becomes a bottleneck.
2. You've created a single point of failure. Traffic has to go through a single ENI on the firewall.
3. Auto-scaling. The firewall would need to dynamically create new NATs every time a new instance is spun up and everything that goes along with that.
From an architecture standpoint, if you put the firewall in front the of ELB (use an internal ELB instead of Internet ELB) that would solve some issues but you still have the bandwidth/performance issues to deal with.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!