I would like to ask about PA FW HA on AWS.
I am confused AWS said if we use loadbalancer or ELB ,we can not do PA HA.
That mean even though I put PA is in front of ELB,we cannot do HA?
If I want to do PA HA with ELB what should I do?
if we deploy different availability zone,can we do PA HA ?
You would typically do one or the other. HA is use cases where you are routing through firewalls or firewalls in a pool behind a load balancer in an application hosting scenario. There are also multi-VPC designs using a TGW. Please have a look at the Reference Architecture for some additional information.
The load balancer is your fault tolerance mechanism for the inbound traffic. For inbound you have two options essentially for fault tolerance. Use the load balancer to health check and distribute traffic to the firewalls or set up HA between two firewalls in the same AZ. HA is active passive while LB is active/active giving you better overall utilization and spend.
For outbound, AWS does not currently offer route to load balancer so your only option is to configure HA with your 0/0 route pointing at the active firewall.
i am still confusing. if you don't mind please help me to explain below ?
i am still confusing HA setup in multi AZ.
I would like to deploy Paloalto HA setup in different AZ without using loadbalancer.
let me know it is possible ?
If I want to do VPN between our PA and customer gateway, I still need load balancer ?
We do not currently have native support for HA across zones. Typically in a VPN scenario, you use BGP to handle the failover between the two firewalls running tunnels to both firewalls. You can use a script such as this one to handle the VPC route table. You would just need to change the path monitor to monitor something across the VPN tunnel.
I a more robust scenario, you would use a Transit Gateway and the on-prem aspect of the reference architecture to treat the firewall as an inspection zone in the routing path.
As per your recommendation , we should use load balancer or we should use transit gateway ,
correct ? whatever we use loadbalancer or transit gateway,we still use PA firewall as VPN gateway ?
If using the TGW, vpn to the TGW rather than to the firewalls and use the TGW routing mechanism to route through the firewalls before going to the spoke VPC. If using a single VPC, vpn to a VGW attached to the VPC and use Ingress Routing to route through the firewalls. If you VPN to the firewalls and they are not configured for HA, you either need to SNAT the traffic or use some additional scripting to update the VPC routing to avoid asymmetry.
I believe you could benefit from a white board session with one of our SEs. Reach out to your local account team and they can assist with locking in a design that suites your environment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!