AWS ELB one to one relationship with backend

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AWS ELB one to one relationship with backend

L2 Linker

According to the documentation, if you don't have an ELB sandwich then there is a one to one relationship between the firewall and the back end server. I spoke to support and the answer was the fact that you can only have one ENI attached per subnet. My customer has an existing IAAS stack and wanted only 1 FW per AZ. But the proxy servers in the private subnet autoscale. 

 

This does not appear possible. Can someone explain in more detail how this constraint works? Options would be to put an internal ELB

from the documentationfrom the documentation

 

1 accepted solution

Accepted Solutions

L5 Sessionator

We definitely need more context. You can have one ENI per subnet but in that subnet you can have multiple backend resources. So as @BatD referrenced you can secure multiple servers with a firewall. If you have multiple resources in multiple subnets and you would like to secure them via the firewall then you need to add more ENI's and configure multiple zones. the VM-Series can have up to 7 Dataplane interfaces + 1 the management interface depending on the machine type used in AWS

 

https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/set-up-the-vm-series...

View solution in original post

2 REPLIES 2

L4 Transporter

I see that no one answered you question and I can try to help, but it is not quite clear what are you trying to do. 

I am not sure where you had that from, but taken out of context both statements are not necessary correct. You can surely protect multiple webservers with a single firewall without using load balancer. Also strictly speaking you can have more than one ENI per subnet.

L5 Sessionator

We definitely need more context. You can have one ENI per subnet but in that subnet you can have multiple backend resources. So as @BatD referrenced you can secure multiple servers with a firewall. If you have multiple resources in multiple subnets and you would like to secure them via the firewall then you need to add more ENI's and configure multiple zones. the VM-Series can have up to 7 Dataplane interfaces + 1 the management interface depending on the machine type used in AWS

 

https://www.paloaltonetworks.com/documentation/71/virtualization/virtualization/set-up-the-vm-series...

  • 1 accepted solution
  • 2181 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!