AWS Load balancer with Cisco Umbrella Virtual Appliance

Hello 7230822,

If I understand the question... you’re interested in using the appropriate native AWS Elastic Load Balancer? The support document in that URL actually specifies the prerequisites needed for Load Balancing Cisco Umbrella virtual appliances (VAs). A load balanced deployment is feasible as long as the load balancer meets the following requirements:

1. The source IP address of the client making the query must be preserved when passing the query to virtual appliance.
2. The DNS response from the virtual appliance must route through the load balancer so the response to the client appears as coming from the address of the load balancer.

These requirements can be met by AWS ELBs, but more detail would be helpful. The AWS Application Load Balancer and Network Load Balancer can both preserve the source IP address.

If you’re using the AWS Application Load Balancer(ALB)

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html</p>

or

if you choose the AWS Network Load Balancer(NLB)

https://aws.amazon.com/about-aws/whats-new/2013/07/30/elastic-load-balancing-now-supports-proxy-protocol/

https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/

I've included some Cisco and AWS specific documentation below that may be of use. There's a Cisco Validated Design (CVD) for this kind of an implementation. It includes the CVD for an AWS deployment.

1. Cisco Secure Cloud Architecture for AWS https://blogs.cisco.com/security/cisco-secure-cloud-architecture-for-aws

2. Deploy VAs in Amazon Web Services https://docs.umbrella.com/deployment-umbrella/docs/deploy-vas-in-amazon-web-services

3. Secure Cloud for AWS (IaaS) https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/scloud-aws-design-guide.pdf

Hopefully, the additional documentation will help