Multiple public IP configuration on AWS

Reply
L1 Bithead

Multiple public IP configuration on AWS

I require the same ports to be forwarded to different servers in our Amazon VPC. I've set up 2 interfaces each with their own EIPs and attached them to the VM-300. Traffic flows properly to the first server and the IPsec tunnels work through the first interface. Setting up the 2nd public interface with the same settings as the first and creating the necessary security and NAT policies to allow traffic to flow to the 2nd server shows incoming traffic going to that interface's private IP, but the traffic ages out. If I restart the instance, none of the traffic makes it to either server and the IPsec tunnels will not come back up.

Palo Alto Networks Guru

Re: Multiple public IP configuration on AWS

Hi Keith,

 

 

How are you setting up the routing?  If you have two data plane interfaces with public IPs, they cannot both ingest the default route or you will get odd behavior.  You'll need to create a more specific static route on at least one of those interfaces for bringing up the tunnel.


If you have both of the interfaces setup as DHCP, the default setting will be for them both to add the AWS gateway as the default route and you will get unpreditable results.

 

Another test to try is to allow ping to/from both ends of both VPNs and make sure they are routing symmetrically.

 

HTH,


Warby

L1 Bithead

Re: Multiple public IP configuration on AWS

Hi Warby,

 

Yes, I have set both interfaces to use DHCP and using the defaul virtual router.

 

As it is currently configured, I have both public interfaces in the same public subnet of the VPC. Both servers that have traffic forwarded to them from their respective public interfaces with their NAT and security polices are on the same private subnet. All of the IPsec VPN tunnels are on the first public interface.

 

Are you saying I will need to setup a seperate AWS internet gateway and/or a seperate virtual router for each public interface?

 

Thanks.

Palo Alto Networks Guru

Re: Multiple public IP configuration on AWS

If you have both dataplance interfaces configured as the interface for the default route, you will get assymetric routing for one of the interfaces.

 

Easiest solution is to remove the default route from one interface (say E1/2) and then setup a static route to use E1/2 for only the remote IPsec endpoint that should connect to that interface.

 

Then you will need to setup static routes on the tunnel interfaces for the specific routes that should use each of the VPN tunnels.

 

HTH,


Warby

L1 Bithead

Re: Multiple public IP configuration on AWS

All of the IPsec VPN tunnels are on the first interface. My reason for having more than one public interface is for forwarding the same ports to different servers of the public IPs, in this case HTTP and HTTPS.

 

So:

Public subnet:

EIP 0 - Palo management interface

EIP 1 - Palo public interface 1 - ports 80 and 443 of server 1 (NAT and security policies)

     All IPsec VPN tunnels

EIP 2 - Palo public interface 2 - ports 80 and 443 of server 2 (NAT and security policies)

 

Private subnet

Palo private interface as gateway for all servers in the VPC.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!