09-29-2023 07:32 AM
Hello,
I have a question regarding inbound inspection in centralised model using Palo Alto Cloud NGFW, which was described here.
I'm focusing on the Figure 11: Cloud NGFW is deployed to protect inbound traffic to a VPC (Single AZ).
In this architecture, the Application Load Balancer was deployed in central Security Account. My assumption is that you can bind multiple domains to the same ALB and route traffic to different internal web-server (i.e. example.com, example2.com), based on the host-header feature provided by the ALB. So far so good.
But what if I want to provide inspection to services that are not working on HTTP/HTTPs protocols, i.e SFTP, FTP, SSH (and many others)? My first thought was to deploy another subnet in the central Security Account with Network Load Balancer. NLB works on layer 3/4, so it's not understanding host headers. Solution for that would be to create listeners on different ports and bind them to appropriate target groups, i.e:
- 222 NLB -> 22 (internal sftp-server-1)
- 223 NLB -> 22 (internal sftp-server-2).
Is this viable solution or is there any other way to handle multiple services via the same central NLB?
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
