Auto Scaling the VM-Series on AWS feature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Auto Scaling the VM-Series on AWS feature

L1 Bithead

 

I would like to know if  Auto Scaling the VM-Series on AWS feature and load balancing feature is supporting  for non-http/https traffic or not?

 

Traffic flow:-

NLB-->Auto Scaling the VM-Series-->backend server

12 REPLIES 12

L4 Transporter

Yes, you can deploy our V2.0 Autoscaling template from GitHub, you will have an ALB externally with an autoscale group (ASG) for the firewall.  You can then manually create the NLB with a Target Group pointing to the firewall.  You would then update the ASG with the new target group.  Any autoscaling events that occur will add or remove the firewall from the NLB's target group.

 

https://github.com/PaloAltoNetworks/aws-elb-autoscaling

 

 

So, Is it basically replacing the external ALB from V.2 autoscalling template with manually built NLB?

I would set it up in parallel, there are some other automations that you could impact by deleting the ALB entirely.  You can delete the Listener rule so it does not handle any traffic. 

I have already deployed V2.0 Autoscaling template from GitHub for http/https traffic.

 

Like 

ALB--->Auto-Scale Palo Alto firewall --->NLB--->Backend Server

 

But now my requirement is for non-http/https traffic whether Autoscaling features will support or not? If yes can you just let me know how to deploy or any template need to use.

 

Proposed Traffic flow:-

NLB--->Auto-Scale Palo Alto firewall--->Backend server 

OR

NLB--->Auto-Scale Palo Alto firewall--->NLB-->Backend server

Either of the proposed flow will work, it just depends on if you need LB in front of your backend servers.

 

As for what to change.

 

1. Create the front door NLB.

2. Add the Firewall Untrust side to the Target Group of the newly created NLB.

3. Add the newly created Target Group to the "Target Groups" field on the Details tab of the Firewall Autoscale Groups created by the ALB CFT.

Done the same thing but getting as "None of these Availability Zones contains a healthy target. Requests are being routed to all targets."

 

1. Created NLB in frontdoor and backend.

2. Deployed the VM-Series Auto Scaling Template for AWS (v2.0)

3. Remove the listener rules in ALB.

4. Frontdoor NLB has routed to Auto Scaling group.

5. Backend NLB routed to backend target group.

6. Tested from Internal backend NLB to backed target gorup which is working perfectly.

 

What i found is that from Auto scaling group to backend NLB integration which i stuck. How to do that? and why unhealthy status is showing due to Auto scaling group to backend NLB integration or some other reason?

 

Traffic Flow:-

NLB-->VM-Series Auto Scaling-->NLB-->Target Group backend server

 

Thanks

KS

 

Did you create a Security policy allowing the traffic and a corresponding NAT rule to map the traffic to the internal NLB?  The NLB sends the health probes on the port that the backend servers are configured on unless you have overridden that port.   

 

Finally, it works for me after configured Destination NAT and Security Policy, Swapping mgmt interface in one of the Auto Scaling Palo Alto instance.

 

But this won’t full fill our expectation by mixing template and manual configuration, which is not compatibility with each other.

Because there are many things we need to change during scaling in and out.

Like I’m giving one example below:

Whenever scaling in will happened we have to register those scaling in instance to the front door NLB listener rules to be working. So in real time in production environment its not possible to monitor when scaling will happened and we will have to add it immediately.

 

Manually both NLB can be configured but not auto scaling features of palo alto firewall.

Is there any Template is availble for end to end solution i.e External NLB-->Auto Scalaing Palo Alto-->Internal NLB

or in coming future it will be release.

That will be more usefull for everyone for deploying in Prod environment.

 

Thanks,

KS

The final bits that you have encountered are possible with modification to Lambda code and either an update to the bootstrap file or integration with panorama.  

 

Your first example of a scale in/out events registering with the NLB is my early point of adding the NLB's target group to the Firewall's autoscale group.  

 

The piece that you will need to incorporate into your environment is the addition of the security and NAT policy for the NLB.  That is where either addition to the bootstrap or integration with a Panorama Template come into play.

 

Our PS and Partner community can assist with formalizing a solution for you.  I would suggest reaching out to your SE for an introduction.

 

 

To Manage all those firewall instance Panorama is required. So i deployed the Panorama but here the question comes how to configure NAT rules in Panorama which will push to all the Palo Alto instances.

 

Earlier i tried it with one instance and manual i put destination NAT and it works, But in Panoroma how to do it and how it will applicable for all new instance which will create in scaling in time.

 

 

Thanks,

KS

 
 

To Manage all those firewall instance Panorama is required. So i deployed the Panorama but here the question comes how to configure NAT rules in Panorama which will push to all the Palo Alto instances.

 

Earlier i tried it with one instance and manual i put destination NAT and it works, But in Panoroma how to do it and how it will applicable for all new instance which will create in scaling in time.

 

 

Thanks,

KS

 
 

Hi,

 

I'm able to deploy panorama to manage all the instance's when scaling in happened. 

In Panorama configured the device group and assigned the template stack name which i deployed. 

Also checked connectivity is fine by doing ping test from panorama. But still insatnce's are not updating automatically to Panorama.

Could you please help on this.

 

Thanks,

KS

  • 7867 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!