This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to architect Virtual PANs with AWS ELBs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to architect Virtual PANs with AWS ELBs

jjavier
L0 Member

‎02-27-2015 10:47 AM

We're at the initial stages of architecting our AWS environment and are considering using PANs to secure North/South traffic. The problem I am running into is the network design of how to get traffic to flow through the virtual PANs from the internet on their way to the front end web servers. The difficulty we're having is ELBs (Elastic Load Balancers) use both dynamic external and internal IP addresses. DNS for your site is directed to the ELB IPs by CNAMEs AWS controls. Because AWS PANs only support Layer 3 routing I'm not sure the best way to insert the PAN between the dynamically changing ELBs and the front ends. The design of course has to account for multiple AZs (availability zones) and we'd plan on having a PAN in each AZ. Has anyone setup a PAN, or any network AMI, behind an ELB before and how did you architect it? ~ Jason

Good article expalining how AWS's ELB works: http://aws.amazon.com/articles/1636185810492479

1 person had this problem.
Labels:
0 Likes Likes
2 REPLIES 2

UmslMark
L0 Member

‎04-14-2015 06:04 PM

Did you figure this out? I am trying to figure out how to put my Aws palo box in front of an elb right now..

0 Likes Likes

CafNetMatt
L3 Networker

‎12-15-2015 09:06 PM

I know this is old but I felt that some type of reply should be made.

 

I'm dealing with the same issue for a client with the only difference being they have multiple ELBs to deal with.  I started a new post hoping that would help get a response.  Here's the link:  https://live.paloaltonetworks.com/t5/General-Topics/PAN-AWS-with-multiple-ELBs/m-p/69415#M40288

 

Anyway, I brainstormed with other PAN engineers and it just isn't viable at this time.  Hopefully as Amazon adds features to ELB and Palo Alto continues their development of the product it will become viable.  Here's the issues we discussed:

 

1. The Palo Alto VM is limited to 1Gb throughput.  I don't see this being any different for any other vendor because its limited to IO, vCPU & vRAM provided to any AMI.  The point behind ELB and especially auto scaling is performance (& fault tolerance).  The AMI becomes a bottleneck.

 

2. You've created a single point of failure.  Traffic has to go through a single ENI on the firewall.

 

3. Auto-scaling.  The firewall would need to dynamically create new NATs every time a new instance is spun up and everything that goes along with that.

 

From an architecture standpoint, if you put the firewall in front the of ELB (use an internal ELB instead of Internet ELB) that would solve some issues but you still have the bandwidth/performance issues to deal with.

 

Matt

0 Likes Likes
  • 3583 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks