AWS Autoscale deploy firewalls only and add to existing NLB target groups

Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS Autoscale deploy firewalls only and add to existing NLB target groups

L1 Bithead

I've read the doccos on the current versions of AWS autoscale and they all seem very convoluted and create new applications and load balancers.

What I am trying to achieve is to just scale the firewalls only and add to existing target groups and have Panorama push the configuration down. I know that version 2.1 does this but it looks as though its pre compiled lambda scripts do everything, so what bits do I need to remove in order to take it down to just scale the firewall without the backend applications (they are managed separately behind internal loadbalancers)

This seems like it *shouldn't* be that hard but its proving nightmarish. the AWS autoscale groups won't allow the launch template to have multiple network interfaces so that screws the first bit. no worries, that can be handled with a lambda function right? just need to trigger it with the scale out and scale in events of the autoscale group.  
Has anyone done this method? successfully?

surely i'm not the first person to want to do this implementation strategy


any insight would be great. 



L1 Bithead

Got there in the end.

Had to butcher the Palo github python scripts (also clean a LOT of the errors and inconsistencies in there. that code realllly needs reviewing and error checking)
removed anything referencing nlb/alb and it worked fine from there.

Also had to add some steps in for firewall initilisation, as the 9.1.3 images im using are failing the panorama auto commit (saying loopback.1 has no VR configured, must be a problem in panorama pushed template?) so had to create a loop to look for that and revert configuration, update the masterkey (because the templates have no consideration for following best practices?) and then force template values in a template-stack commit from panorama before pushing the shared policies. 

Will document all the changes and submit to the repo in a fault ticket for the owners to fix. 

  • 1 replies
  • 85 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!