Zero trust in AWS issue with ALB

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Zero trust in AWS issue with ALB

L1 Bithead

We are trying to implement a zero trust environment inside our AWS cloud. We are using a transit gateway deployment, and have all traffic going through a secuirty vpc which houses a pair of PA-VM's. These firewalls are reached by the other VPC's through GWLB's. Because of this architecture when we are allowing inbound web traffic to our ALB's we actually create a rule using the private ip addresses of the ALB's. The issue is the dynamic nature of the ALB these internal IP's change periodically, which in turn invalidates our inbound rules. I have seen some workarounds using NLB, or through Global Accelerator. Neither of these however will keep the private ip of the ALB from changing. I was hoping to use the dynamic group function, but it seems to only be able to pull in EC2's, and not LB's. With zero trust being all the rage how is this not supported? What am I missing.

2 REPLIES 2

L1 Bithead

Bumping this up, can't believe nobody else has this issue?

Hi @nelsonc0 ,

Hope you have managed to solve your problem if not, please check which version of AWS plugin for Panorama are you using.

According to the documentations version 3.0.0 have introduced the support for ALB, NLB and ENI monitoring - https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plug...

  • 1935 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!