AWS: Deployment in Sandwich

Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS: Deployment in Sandwich

L2 Linker

Hi Team,


We have deployed PA-VM in Sandwich architecture on AWS. During PA-VM deployment we swapped the management interface. In the application load balancer both PA-VM is showing Unhealthy.


How we can make PA-VM Healthy in Application Load Balancer ?  



Hi @Mitesh_Nandu ,

Swapping management interface only benefit is that you can reference PA-VM in LB target group by instance-id and not IP address.

When you reference instance in the target group by instance-id AWS will awlays use the first interface attached to that instance.


PA virtual firewall generally always use the first interface for dedicated mgmt interface. So if you add PA-VM to target group by instance-id LB will try reach the firewall over the mgmt interface and not over the data plane.


For that reason PAN introduced the option to swap mgmt interface. So your dedicate mgmt will become your second attached interface and the first attached int will be the first data plane interface.

I personally don't like this approach and find it useless, but probably because in my short cloud experience I have dealing only with very static environments, where LB target group is pointing to IP address. It is much easy to understand (at least for me), but the downside is you need to know the IP address that will be assigned to the PA-VM and add it to the target group.


Why is this important? Because if you have your PA-VM in two different target groups added by instance-id, both LB will try sending the traffic only over the first insterface attached to PA-VM. You  have to configure at least of the target groups by IP address.


Another possible reason why your health check are failing is because by default PA firewall will not responde to any traffic that is sent to it. Meaning - health checks are packet addressed to PA IP address, not traffic that should pass over the firewall. To tell the firewall to listen and respond to this traffic you need to apply interface management profile on those interfaces that are targeted by the LB.

Usually you create int mgmt profile with HTTP/HTTPS enabled and apply it on the interface, then configure your target group to send HTTP probes.

L2 Linker

Thanks for the brief.


 In my environment in target group we have mentioned IP Address & also we have swapped the interface. As you mentioned if we are choosing IP address in target group no need to swap the interface (will try the same).


While creating Interface management profile, in the permit IPs does we have to specify any IP addresses.





L1 Bithead

If your default intrazone policy is set to deny, you also need to allow traffic coming from the GWLB to the firewall interface on app-id SSL. Without the policy the health check will not pass. 

L2 Linker

Hi Vsurresh,


We are not using GWLB.


For ingress traffic we are using Application Load Balancer & for egress traffic we are using Network Load Balancer.

L2 Linker



Can anyone will verify the architecture, will this architecture work in AWS.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!