AWS Availability Zones

L1 Bithead

AWS Availability Zones

For background, here is the scenario:

 

Initially we were looking at a high availability setup with 2 VM appliances, however, there is a restriction to a single AZ in that approach because of how the “floating IP / ENI” works.

 

However, this environment will span multiple AZ’s for redundancy and there is a published Palo Alto video on how they do this: https://www.youtube.com/watch?time_continue=130&v=xiPZHzdNRmI

 

I’m re-watching it again, but based on my setup of the initial PA devices here is what I think I’m seeing:

 

  • It looks like the configuration is being sync’d not through native PA HA config sync features, but through the cloud formation (CF) template and scripting
  • It looks like they may be using CF to set the necessary AWS routing to support egress filtering

 

I just want to confirm this is the case so we roughly have an understanding of how we’ll how to build this out.

 

Thanks,

Palo Alto Networks Guru

Re: AWS Availability Zones

Hello,

 

You are correct, our PAN-OS stateful failover solution requires an interface move which cannot happen between subnets and subnets do not span AZs.


For AZ redundancy, we recommend the load balancer sandwhich covered in the video you referenced.  It doesn't track state between AZs but AZ failure is very rare and session restablishment for web based applications is usually transparent for the user.

 

Make sure you are using the latest template for the auto scaling solution: https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2

 

HTH,


Warby

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!