This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

AWS Autoscale deploy firewalls only and add to existing NLB target groups

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AWS Autoscale deploy firewalls only and add to existing NLB target groups

craig.beamish
L1 Bithead

‎07-16-2020 07:37 PM - edited ‎07-16-2020 07:58 PM

I've read the doccos on the current versions of AWS autoscale and they all seem very convoluted and create new applications and load balancers.

What I am trying to achieve is to just scale the firewalls only and add to existing target groups and have Panorama push the configuration down. I know that version 2.1 does this but it looks as though its pre compiled lambda scripts do everything, so what bits do I need to remove in order to take it down to just scale the firewall without the backend applications (they are managed separately behind internal loadbalancers)

This seems like it *shouldn't* be that hard but its proving nightmarish. the AWS autoscale groups won't allow the launch template to have multiple network interfaces so that screws the first bit. no worries, that can be handled with a lambda function right? just need to trigger it with the scale out and scale in events of the autoscale group.  
Has anyone done this method? successfully?

surely i'm not the first person to want to do this implementation strategy

 

any insight would be great. 

Craig

0 Likes Likes
1 REPLY 1

craig.beamish
L1 Bithead

‎07-22-2020 08:08 PM

Got there in the end.

Had to butcher the Palo github python scripts (also clean a LOT of the errors and inconsistencies in there. that code realllly needs reviewing and error checking)
removed anything referencing nlb/alb and it worked fine from there.

Also had to add some steps in for firewall initilisation, as the 9.1.3 images im using are failing the panorama auto commit (saying loopback.1 has no VR configured, must be a problem in panorama pushed template?) so had to create a loop to look for that and revert configuration, update the masterkey (because the templates have no consideration for following best practices?) and then force template values in a template-stack commit from panorama before pushing the shared policies. 

Will document all the changes and submit to the repo in a fault ticket for the owners to fix. 

0 Likes Likes
  • 2849 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks