Showing results for 
Show  only  | Search instead for 
Did you mean: 


L2 Linker


I would like to ask about PA FW HA on AWS.
I am confused AWS said if we use loadbalancer or ELB ,we can not do PA HA.
That mean even though I put PA is in front of ELB,we cannot do HA?

If I want to do PA HA with ELB what should I do?

if we deploy different availability zone,can we do PA HA ?


L4 Transporter

You would typically do one or the other.  HA is use cases where you are routing through firewalls or firewalls in a pool behind a load balancer in an application hosting scenario.  There are also multi-VPC designs using a TGW.  Please have a look at the Reference Architecture for some additional information.


i saw below design in your provide link. let me know can i deploy without Public LB and Internal LB ?

if we don't have those LB what is the impact ?





The load balancer is your fault tolerance mechanism for the inbound traffic.  For inbound you have two options essentially for fault tolerance.  Use the load balancer to health check and distribute traffic to the firewalls or set up HA between two firewalls in the same AZ.  HA is active passive while LB is active/active giving you better overall utilization and spend.


For outbound, AWS does not currently offer route to load balancer so your only option is to configure HA with your 0/0 route pointing at the active firewall.

Hi ,

i am still confusing. if you don't mind please help me to explain below ?

  1. if we don't have the load balancer ,we can not deploy PA FW HA on AWS ?
  2. The load balancer is mandatory to deploy Paloalto firewall HA setup on AWS ?
  3. if we deploy vpn connection between Paloalto FW HA and customer gawtway in DC, we still need loadbalancer ?
  4. if we deploy vpn connection between Paloalto FW HA and customer gawtway in DC and if we use the load balancer ,any impact to our VPN connection ?

L2 Linker

Hi ,

i am still confusing HA setup in multi AZ.

I would like to deploy Paloalto HA setup in different AZ without using loadbalancer.

let me know it is possible ?

If I want to do VPN between our PA and customer gateway, I still need load balancer ?


We do not currently have native support for HA across zones.  Typically in a VPN scenario, you use BGP to handle the failover between the two firewalls running tunnels to both firewalls.  You can use a script such as this one to handle the VPC route table.  You would just need to change the path monitor to monitor something across the VPN tunnel.




I a more robust scenario, you would use a Transit Gateway and the on-prem aspect of the reference architecture to treat the firewall as an inspection zone in the routing path.

Hi ,

As per your recommendation , we should use load balancer or we should use transit gateway ,

correct ? whatever we use loadbalancer or transit gateway,we still use PA firewall as VPN gateway ?


If using the TGW, vpn to the TGW rather than to the firewalls and use the TGW routing mechanism to route through the firewalls before going to the spoke VPC.  If using a single VPC, vpn to a VGW attached to the VPC and use Ingress Routing to route through the firewalls.  If you VPN to the firewalls and they are not configured for HA, you either need to SNAT the traffic or use some additional scripting to update the VPC routing to avoid asymmetry.


I believe you could benefit from a white board session with one of our SEs.  Reach out to your local account team and they can assist with locking in a design that suites your environment.

  • 8 replies
  • 85 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!