This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

S2S VPN with Active/Active FW Behind LB

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S2S VPN with Active/Active FW Behind LB

catg80
L0 Member

‎09-12-2023 10:59 PM

Hey all,

we have 2 active palos in azure that are behind a public load balancer.

have to create a S2S VPN between our tenancy and another orgs tenancy.

has anyone done this before?

not sure how can get this to work as traffic going through the load balancer seems to cause issues as its a long running connection. 

anyone know of any design guides that would discuss scenarios on this?

 

thanks

0 Likes Likes
1 REPLY 1

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎09-14-2023 07:29 AM

Hi @catg80 ,

In my humble opinion what you asking is not possible.

- Azure Load Balancer workin on layer4 and support only TCP and UDP transport protocols

- IPsec site-to-site VPN usually requries ESP transport protocol, which is not supported by Azure LB

- As described in the following link you can use Azure LB for outbound connections, but outbound traffic is not actuall passive through the LB. Traffic is just simply tranlated (NAT) to the public IP assigned to the LB. https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections

 

I personally don't like running Site-to-Site tunnels on firewall in Azure or AWS.

I would preffer to use the cloud native components and establish the tunnel to Azure VPN gateway and if required use routing tables to forward the traffic from/to the tunnel to PAN FW for inspection.

 

You metioned "between our tenancy and another orgs tenancy" - does this means you want to exchange traffic between your Azure  enviroment and another Azure environment? If that is correct, I would recommend to use Azure Private Link and Private Endpoints - https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/private-link

Yuo could still route such traffic over your firewall for inspection, but instead of adding the complexity of maintaining IPsec tunnel, just use the cloud native components to send it to the other organization.

 

0 Likes Likes
  • 894 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks