AWS Load balancer with Cisco Umbrella Virtual Appliance

0

Hello,

I’d like to implement a load-balancing architecture to front my Cisco Umbrella virtual appliances as described in this article. But I don’t want to use F5, I want to use an AWS Elastic Load Balancer.

https://support.umbrella.com/hc/en-us/articles/115004889908-Load-Balancing-Umbrella-virtual-appliances

2 Answers
0

You can, however you can only use an NLB because DNS works over UDP mainly and an ALB doesn’t support this.

Also the ALB doesn’t preserve the client IP at layer 3 like an NLB. It can only add to the x-forwarded-for header during http requests.

Cisco umbrella uses native udp dns queries and therefore needs to see the orignal clients IP using an NLB

profile picture
EXPERT
answered 9 months ago
-1
Accepted Answer

Hello 7230822,

If I understand the question... you’re interested in using the appropriate native AWS Elastic Load Balancer? The support document in that URL actually specifies the prerequisites needed for Load Balancing Cisco Umbrella virtual appliances (VAs). A load balanced deployment is feasible as long as the load balancer meets the following requirements:

  1. The source IP address of the client making the query must be preserved when passing the query to virtual appliance.
  2. The DNS response from the virtual appliance must route through the load balancer so the response to the client appears as coming from the address of the load balancer.

These requirements can be met by AWS ELBs, but more detail would be helpful. The AWS Application Load Balancer and Network Load Balancer can both preserve the source IP address.

If you’re using the AWS Application Load Balancer(ALB)

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html</p>

or

if you choose the AWS Network Load Balancer(NLB)

https://aws.amazon.com/about-aws/whats-new/2013/07/30/elastic-load-balancing-now-supports-proxy-protocol/

https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/

I've included some Cisco and AWS specific documentation below that may be of use. There's a Cisco Validated Design (CVD) for this kind of an implementation. It includes the CVD for an AWS deployment.

  1. Cisco Secure Cloud Architecture for AWS https://blogs.cisco.com/security/cisco-secure-cloud-architecture-for-aws

  2. Deploy VAs in Amazon Web Services https://docs.umbrella.com/deployment-umbrella/docs/deploy-vas-in-amazon-web-services

  3. Secure Cloud for AWS (IaaS) https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/scloud-aws-design-guide.pdf

Hopefully, the additional documentation will help

Cisco UVA with AWS

AWS
Rudy
answered 9 months ago
profile pictureAWS
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions