12-13-2015 09:49 AM
Hi All,
I'm deploying a PAN VM in AWS. The client has multiple ELBs configured and I'm trying to figure out the best way to deploy it. I haven't found any documentation on Palo Alto's website regarding ELB but did find an architecture from another firewall vendor that would seem to work if there was only a single ELB.
The othe vendor deploys the firewall the same way Palo Alto does (following the PAN use case scenario). They then recommend changing the ELB to point to the firewall ENI in the public subnet instead of the front end web servers ENI. The firewall's NAT configuration then forwards the traffic to the front end web server.
My question is what is Palo Alto's recommended deployment in an elastic load balancing deployment and especially if multiple ELBs are configured?
Client setup:
ELB 1: dev.company.com load balances to 2 web servers in different subnets in the same AZ
ELB 2: prod.company.com load balances to 2 web servers in different subnets in the same AZ.
I setup the PAN VM the recommended way. A single ENI each subnet: public, private-dev1, private-dev2, private-prod1, private-prod2.
My first thought was to do the following:
1. Reconfigure the ELBs to point to the PAN interface in the public subnet.
2. Setup ELB to port forward. They would listen on port 80/443 and forward to 8081-4/4433-6.
3. The PAN would then use DNAT with port translation to forward that traffic to the correct server on port 80/443.
The problem is that, from a post I read, ELB can't do this. I don't *think* I can have multiple ELB configurations pointing to the same interface (the PAN ENI in the public subnet).
Any one have a recommendation or experience setting up ELB with a PAN VM?
Thanks!
Matt
