02-27-2015 10:47 AM
We're at the initial stages of architecting our AWS environment and are considering using PANs to secure North/South traffic. The problem I am running into is the network design of how to get traffic to flow through the virtual PANs from the internet on their way to the front end web servers. The difficulty we're having is ELBs (Elastic Load Balancers) use both dynamic external and internal IP addresses. DNS for your site is directed to the ELB IPs by CNAMEs AWS controls. Because AWS PANs only support Layer 3 routing I'm not sure the best way to insert the PAN between the dynamically changing ELBs and the front ends. The design of course has to account for multiple AZs (availability zones) and we'd plan on having a PAN in each AZ. Has anyone setup a PAN, or any network AMI, behind an ELB before and how did you architect it? ~ Jason
Good article expalining how AWS's ELB works: http://aws.amazon.com/articles/1636185810492479
