I would like to know if Auto Scaling the VM-Series on AWS feature and load balancing feature is supporting for non-http/https traffic or not?
NLB-->Auto Scaling the VM-Series-->backend server
Yes, you can deploy our V2.0 Autoscaling template from GitHub, you will have an ALB externally with an autoscale group (ASG) for the firewall. You can then manually create the NLB with a Target Group pointing to the firewall. You would then update the ASG with the new target group. Any autoscaling events that occur will add or remove the firewall from the NLB's target group.
I would set it up in parallel, there are some other automations that you could impact by deleting the ALB entirely. You can delete the Listener rule so it does not handle any traffic.
I have already deployed V2.0 Autoscaling template from GitHub for http/https traffic.
ALB--->Auto-Scale Palo Alto firewall --->NLB--->Backend Server
But now my requirement is for non-http/https traffic whether Autoscaling features will support or not? If yes can you just let me know how to deploy or any template need to use.
Proposed Traffic flow:-
NLB--->Auto-Scale Palo Alto firewall--->Backend server
NLB--->Auto-Scale Palo Alto firewall--->NLB-->Backend server
Either of the proposed flow will work, it just depends on if you need LB in front of your backend servers.
As for what to change.
1. Create the front door NLB.
2. Add the Firewall Untrust side to the Target Group of the newly created NLB.
3. Add the newly created Target Group to the "Target Groups" field on the Details tab of the Firewall Autoscale Groups created by the ALB CFT.
Done the same thing but getting as "None of these Availability Zones contains a healthy target. Requests are being routed to all targets."
1. Created NLB in frontdoor and backend.
2. Deployed the VM-Series Auto Scaling Template for AWS (v2.0)
3. Remove the listener rules in ALB.
4. Frontdoor NLB has routed to Auto Scaling group.
5. Backend NLB routed to backend target group.
6. Tested from Internal backend NLB to backed target gorup which is working perfectly.
What i found is that from Auto scaling group to backend NLB integration which i stuck. How to do that? and why unhealthy status is showing due to Auto scaling group to backend NLB integration or some other reason?
NLB-->VM-Series Auto Scaling-->NLB-->Target Group backend server
Did you create a Security policy allowing the traffic and a corresponding NAT rule to map the traffic to the internal NLB? The NLB sends the health probes on the port that the backend servers are configured on unless you have overridden that port.
Finally, it works for me after configured Destination NAT and Security Policy, Swapping mgmt interface in one of the Auto Scaling Palo Alto instance.
But this won’t full fill our expectation by mixing template and manual configuration, which is not compatibility with each other.
Because there are many things we need to change during scaling in and out.
Like I’m giving one example below:
Whenever scaling in will happened we have to register those scaling in instance to the front door NLB listener rules to be working. So in real time in production environment its not possible to monitor when scaling will happened and we will have to add it immediately.
Manually both NLB can be configured but not auto scaling features of palo alto firewall.
Is there any Template is availble for end to end solution i.e External NLB-->Auto Scalaing Palo Alto-->Internal NLB
or in coming future it will be release.
That will be more usefull for everyone for deploying in Prod environment.
The final bits that you have encountered are possible with modification to Lambda code and either an update to the bootstrap file or integration with panorama.
Your first example of a scale in/out events registering with the NLB is my early point of adding the NLB's target group to the Firewall's autoscale group.
The piece that you will need to incorporate into your environment is the addition of the security and NAT policy for the NLB. That is where either addition to the bootstrap or integration with a Panorama Template come into play.
Our PS and Partner community can assist with formalizing a solution for you. I would suggest reaching out to your SE for an introduction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!