AWS ELB behind firewall with public HTTPS traffic forwarded to it

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

AWS ELB behind firewall with public HTTPS traffic forwarded to it

L1 Bithead

I have setup a classic internal ELB with traffic forwarded to 2 AD FS severs. Internally, by creating a CNAME entry with the FQDN for the ELB, the load balancer forwards to each of the AD FS servers as it should. I have the necessary NAT and security policies as well as policy based forwarding rule as this is the 2nd public interface with forwarding traffic. Public traffic gets forwarded fine to the ELB, as long as the IP address I enter in the destination translation of the NAT policy is set explicitly is current. All of the other references to the ELB can be a FQDN, but since this parameter needs to be an IP, this won't work very long without manually changing this IP as the private IP of the ELB changes frequently. I don't want to change to an external ELB as that would require I use seperate external interfaces on the Palo VM-300, which are precious to us. I don't want to use a 3rd party load balancer as this would complicate monitoring and may not work if we want to implement auto-scaling for this or other projects in the future. The online documentation for ELB and the Palo virutal appliance seem to cover the use case of an external ELB in front of 2 or more virtual appliances, but it isn't clear and doesn't seem to provide relevant information regarding my use case. I had a session with Palo support where I was told that the destination translation needs to be an IP so what I was trying to do wouldn't work, but I wasn't clear whether or not what I want to do at a high level is possible using some other method that I am not aware of. This seems like a major oversight, especially since there is documentation available to use ELB with the Palo VM-300 in another usage scenario. Does anyone have any insight to share?

1 accepted solution

Accepted Solutions

L4 Transporter

Keith, there are 2 options to explore as you are correct in that the NAT object must be an IP address.

 

1. Please have a look at the autoscale template on GitHub.  You will find that we can autoscale the firewalls to accomodate the FQDN change.  As you already mentioned, that will require an external Load Balancer.

https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2

 

2. Amazon recently announced a newer network load balancer.  This load balancer provides static IP addresses for you to use in the NAT object.  You could consider replacing that classic ELB with the NLB.

https://aws.amazon.com/blogs/aws/new-network-load-balancer-effortless-scaling-to-millions-of-request...

 

View solution in original post

2 REPLIES 2

L4 Transporter

Keith, there are 2 options to explore as you are correct in that the NAT object must be an IP address.

 

1. Please have a look at the autoscale template on GitHub.  You will find that we can autoscale the firewalls to accomodate the FQDN change.  As you already mentioned, that will require an external Load Balancer.

https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.2

 

2. Amazon recently announced a newer network load balancer.  This load balancer provides static IP addresses for you to use in the NAT object.  You could consider replacing that classic ELB with the NLB.

https://aws.amazon.com/blogs/aws/new-network-load-balancer-effortless-scaling-to-millions-of-request...

 

Thanks, jmeurer. I had actullay tried the new HTTPS ELB before the classic ELB, but that didn't seem to work for ADFS. I learned while I setup the classic one that I needed to use TCP instead of HTTPS. It didn't occur to me to backtrack because it seemed to be working at that time. I didn't notice the IP was changing on the classic ELB until later. So far, so good with the network ELB.

 

Thanks, again!

  • 1 accepted solution
  • 4073 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!