- Newest
- Most votes
- Most comments
You can, however you can only use an NLB because DNS works over UDP mainly and an ALB doesn’t support this.
Also the ALB doesn’t preserve the client IP at layer 3 like an NLB. It can only add to the x-forwarded-for header during http requests.
Cisco umbrella uses native udp dns queries and therefore needs to see the orignal clients IP using an NLB
Hello 7230822,
If I understand the question... you’re interested in using the appropriate native AWS Elastic Load Balancer? The support document in that URL actually specifies the prerequisites needed for Load Balancing Cisco Umbrella virtual appliances (VAs). A load balanced deployment is feasible as long as the load balancer meets the following requirements:
- The source IP address of the client making the query must be preserved when passing the query to virtual appliance.
- The DNS response from the virtual appliance must route through the load balancer so the response to the client appears as coming from the address of the load balancer.
These requirements can be met by AWS ELBs, but more detail would be helpful. The AWS Application Load Balancer and Network Load Balancer can both preserve the source IP address.
If you’re using the AWS Application Load Balancer(ALB)
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html</p>
or
if you choose the AWS Network Load Balancer(NLB)
https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/
I've included some Cisco and AWS specific documentation below that may be of use. There's a Cisco Validated Design (CVD) for this kind of an implementation. It includes the CVD for an AWS deployment.
-
Cisco Secure Cloud Architecture for AWS https://blogs.cisco.com/security/cisco-secure-cloud-architecture-for-aws
-
Deploy VAs in Amazon Web Services https://docs.umbrella.com/deployment-umbrella/docs/deploy-vas-in-amazon-web-services
-
Secure Cloud for AWS (IaaS) https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/scloud-aws-design-guide.pdf
Hopefully, the additional documentation will help
Relevant content
- Accepted Answer
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago