AWS Load Balancer Sandwich Outbound Traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

AWS Load Balancer Sandwich Outbound Traffic

L0 Member

We have been trying to get the load balancer sandwich (https://github.com/PaloAltoNetworks/aws-alb-sandwich) working but have had little success. Has anyone been successful?

 

First of all, we can't figure out how to send outbound traffic through the firewalls. An internal, outbound-facing load balancer should do the trick, but it seems a requirement to configured each TCP port needed for Internet connectivity. Is there another way to get this done?

 

After we (finally, after several tries) got a CF stack to complete successfully, we could never connect to our jump box. We would rather put an elastic IP on the MGMT interfaces and get the firewalls configured - then configured access through the firewalls to the jump box. We couldn't get into either the firewalls or jump box - connections just timed out.

 

Thank you for any suggestions.

1 REPLY 1

L4 Transporter

With the jumpbox, you have to ensure it that it is in the NATGateway subnet, that is the only subnet that has an IGW for the EIPs to utilize.  Additionally, there is a security group created by the template that allows ports 22/3389 for access to the jumpbox.  If that SG was not used for the jumpbox, ensure that your jumpbox does have the proper SG applied.

 

As for outbound, this template was not designed for protection of traffic originating within the VPC.  You can choose to create a route for your application servers pointing to the Trust side of the firewall in the corresponding AZ and validate that ETH2 has Source/Destination check disabled.  You will then need to add corresponding security and hide nat policies to allow the traffic. 

 

Please note that this creates a single point of failure within the VPC.  In order to perform outbound inspection of traffic originating from within the VPC, utilization of a transit VPC or other automation to monitor the firewalls and move the routes is necessary.  That is topic better suited for a discussion with your Palo Alto Networks SE.

  • 3658 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!