Routing public websites via Palo in Azure?

Reply
L3 Networker

Routing public websites via Palo in Azure?

I have a pair of VM-300 in a load balancer sandwich configuration in Azure. An internal load balancer is on the inside and handles outbound traffic. An external load balancer is on the outside and is intended for inbound traffic from internet.  I can assign a public IP as the front end of the external load balancer. My first question - can a single external load balancer have multiple public IP front ends defined?

 

My second question concerns how traffic flows from an internet client to one of my backend servers. This is my understanding - please correct me if i am wrong:

 

The external interface of each of the two firewalls resides on a privately addressed subnet. Example: 10.1.1.0/24 with fw1 being 10.1.1.4 and fw2 being 10.1.1.5. Each firewall has a default route to internet via Azure gw ip 10.1.1.1

 

The frontend of the ELB has a publicIP 13.75.1.1 described as 'webserver1'. It has a backend pool called webserver1-pool. The real backend webserver is 10.2.2.10. But that is not directly reachable from the LB. And we want the traffic to route via the firewalls.

 

If i want the LB to forward traffic via the vm-300 pair, then the backend pool members would have to be addresses on subnet 10.1.1.0/24 yes? fw1 could have a secondary IP of 10.1.1.11 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.11 is destination natted to go to 10.2.2.10.

Similarly, fw2 could have a secondary IP of 10.1.1.12 associated with its external interface. It would then have a nat rule such that traffic destined for 10.1.1.12 is destination natted to go to 10.2.2.10.

Therefore the backend pool defined on the ELB would have members webserver1a 10.1.1.11 and webserver1b 10.1.1.12

 

Would each firewall also have to source NAT the traffic so the real server's replies path correctly? Or will that just work?

Is there a cleaner way of doing this? having multiple NATs is a pain.  having to use the firewall's external interface subnet for all NATs is also awkward.

 

Tags (2)
L4 Transporter

You are on the right track, you don't actually need secondary IPs of the Untrust interface.  We typically use Port Address Translation.  The Load Balancer Backend would be the firewall's Untrust Interface IP on a custom port such as 4431.  The load balancer rule would then map the front end IP on the standard port to the backend pool on the non-standard port.  The firewall performs both source and destination nat.  The original packet is the non-standard port traffic arriving on ETH1/1, the translated packet sources from Interface Eth1/2 and the destination is the actual application on the proper port.  We document this path in the reference architecture.

https://www.paloaltonetworks.com/resources/reference-architectures/azure

 

L3 Networker

Its my understanding that the Azure external load balancer cannot do port address translation. So i'd need to use an Azure application gateway to do that?

EDIT: I am incorrect. The standard load balancer can use a different port for the backend traffic:

https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!