GWLB Routing in Security Appliances

0

What configuration are needed on the security appliance(lets say using Palo Alto) while using GWLB(Gateway Load Balancer)? Obviously we will configure zone, policy associated with zone. What about routing? Will the appliance pass the traffic to GWLB --> GWLBe without any routing entries on the security appliance("Palo Alto") (or) any any routing entries required. If routing entries requires, which IP should be the next hop ip on the security appliance?

Palani
asked 2 years ago751 views
2 Answers
0

Hello,

Routing depends on which Architecture pattern you choose because there are significant differences depending on your use-case.

Recommend going through this blog that explains all the Supported architecture patterns for TGW + GWLB + FWs and also the routing and flow of the traffic.

https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-gateway-load-balancer-supported-architecture-patterns/

Also PaloAlto has detail documentation around the implementation as well.

As for the below question:

Will the appliance pass the traffic to GWLB --> GWLBe without any routing entries on the security appliance("Palo Alto") (or) any any routing entries required. If routing entries requires, which IP should be the next hop IP on the security appliance?

In general, the appliances will simply route to the Data subnet's 1st IP (You may have Data and Mgmt separate subnets) As such, the Firewall fleet of appliances will have no awareness of the GWLB and TGW, they will simply route to the default gateway, it is the Appliance/GWLB subnet route table that will have specific routing entries, for example:

  • Local route for inter-VPC traffic
  • 0.0.0.0/0 towards NAT-Gateway which will subsequently connect to the internet via IGW (if you also have internet egress from the same Inspection VPC)
  • Specific routes pointing back to TGW

Its difficult to advice without knowing your specific use-case but I hope this helps.

profile pictureAWS
EXPERT
answered 2 years ago
0

I will recommend write the specific routes for the subnets that the firewall stays in instead of using any any routing from the firewall, next hop IP will be the gateway IP of that specific subnet. use the following diagram as an example,

diagram1

appliance 1 routing: 192.168.1.0/28 next-hop: 192.168.1.1 out-interface: geneve tunnel

appliance 2 routing: 192.168.1.16/28 next-hop: 192.168.1.17 out-interface: geneve tunnel

if you would like to do cross zone load balancing, then you will need to add full-mesh routes like the following:

appliance 1 routing: 192.168.1.0/28 next-hop: 192.168.1.1 out-interface: geneve tunnel 192.168.1.16/28 next-hop: 192.168.1.17 out-interface: geneve tunnel

appliance 2 routing: 192.168.1.0/28 next-hop: 192.168.1.1 out-interface: geneve tunnel 192.168.1.16/28 next-hop: 192.168.1.17 out-interface: geneve tunnel

here is a lab come with cloudformation one click deploy, which will use linux instance to mimic "palo alto" firewall, through the lab, it will help you to understand all routing https://github.com/aws-samples/aws-gateway-load-balancer-code-samples/tree/main/aws-cloudformation/distributed_architecture

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions