aws-transit-vpc icon indicating copy to clipboard operation
aws-transit-vpc copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

How does traffic route into the PAs from the internet?

Open tbone31 opened this issue 7 years ago • 3 comments

I'm unclear about how traffic is routed into the PAs from the internet and how HA will work.

I am trying to recreate this template in a region where deploying the cft directly is unsupported. In my solution I only have 1 PA in each AZ, once primary, one secondary. I understand the usage of MED values for fail-over of internal routing between transit VPCs, but from the internet there is no determinant on which PA to hit.

I've seen other vendors use an EIP which bounces association between the ENI of the primary device, but I don't see any of that magic happening in any lambda functions....

Any help would be great!

tbone31 avatar May 11 '18 17:05 tbone31

Inbound connections are generally recommended to be fronted with an ALB. Then you can use IP Address targets, and send the traffic to a PaGroup. You would assign a port for the inbound application, such as mapping a web site from 443 to 40000. The ALB would SNAT the traffic, so if the connection were inbound on AZ1 the source would be this IP. The PA in AZ1 would advertise this subnet, while the PA in AZ2 would advertise its dmz subnet CIDR. So the return traffic would always come back to the appropriate PA. If a PA were to die, the connection would be lost, but the ALB, doing appropriate health checks on the application, would take it out and only send traffic to the other PA. There would be a period of intermittent connectivity depending on how you have your health checks setup.

With the new FQDN NAT in 8.1, you would also have the PAs DNAT to an internal ALB, and it would automatically update the NAT and do round-robin. These internal ALBs would be in the subscriber VPC. The DNAT would also send back to port 443, as it would be receiving traffic on the assigned port 40000 for this particular application.

freimer avatar May 19 '18 16:05 freimer

I also converted everything over to Terraform except the PaGroupCft.json file, and will be submitting a PR once I clean it up a bit.

freimer avatar May 19 '18 16:05 freimer

I also converted everything over to Terraform except the PaGroupCft.json file, and will be submitting a PR once I clean it up a bit.

@freimer did you ever share your terraform version of this? Would love to see that.

peterb154 avatar Jan 10 '19 03:01 peterb154