We’re looking for the best way to deploy Palo Alto firewalls with trust, untrust and management NICs in an autoscaling group in AWS that’s aligned to best practice.
Autoscaling groups for EC2 instances are limited to one network and we see the latest version of the Palo Alto template in Git (ASG with warm pools) caters for this but creates a firewall deployment with two NICs (Data and management) on the same subnet https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools
We would need a firewall with 3 NICS on 3 different subnets (management, trust and untrust).
Do you know the best way to deploy Palo Alto VM firewalls with private, public and management NICs in an ASG in AWS please?
Or is this not possible and are we limited to 2 NICs on the same subnet? (management and data)
cft_simplifiedASG_with_warm_pools assumes the 2 NIC what is coded is from the same subnet. Additionally AWS ASG + LaunchTemplate based ENI provisioning will support only the subnets that was configured in ASG resource. You will not be able to do the splitting via CloudFormation. But you could achieve what you want by keeping the eth0 in the LaunchTemplate and other 2 (eth1 and eth2) by updating the Lifecycle Hook Lambda code.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!