AWS Load balancer with Cisco Umbrella Virtual Appliance

0

Hello,

I’d like to implement a load-balancing architecture to front my Cisco Umbrella virtual appliances as described in this article. But I don’t want to use F5, I want to use an AWS Elastic Load Balancer.

https://support.umbrella.com/hc/en-us/articles/115004889908-Load-Balancing-Umbrella-virtual-appliances

已提問 10 個月前檢視次數 299 次
2 個答案
0

You can, however you can only use an NLB because DNS works over UDP mainly and an ALB doesn’t support this.

Also the ALB doesn’t preserve the client IP at layer 3 like an NLB. It can only add to the x-forwarded-for header during http requests.

Cisco umbrella uses native udp dns queries and therefore needs to see the orignal clients IP using an NLB

profile picture
專家
已回答 10 個月前
-1
已接受的答案

Hello 7230822,

If I understand the question... you’re interested in using the appropriate native AWS Elastic Load Balancer? The support document in that URL actually specifies the prerequisites needed for Load Balancing Cisco Umbrella virtual appliances (VAs). A load balanced deployment is feasible as long as the load balancer meets the following requirements:

  1. The source IP address of the client making the query must be preserved when passing the query to virtual appliance.
  2. The DNS response from the virtual appliance must route through the load balancer so the response to the client appears as coming from the address of the load balancer.

These requirements can be met by AWS ELBs, but more detail would be helpful. The AWS Application Load Balancer and Network Load Balancer can both preserve the source IP address.

If you’re using the AWS Application Load Balancer(ALB)

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html</p>

or

if you choose the AWS Network Load Balancer(NLB)

https://aws.amazon.com/about-aws/whats-new/2013/07/30/elastic-load-balancing-now-supports-proxy-protocol/

https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/

I've included some Cisco and AWS specific documentation below that may be of use. There's a Cisco Validated Design (CVD) for this kind of an implementation. It includes the CVD for an AWS deployment.

  1. Cisco Secure Cloud Architecture for AWS https://blogs.cisco.com/security/cisco-secure-cloud-architecture-for-aws

  2. Deploy VAs in Amazon Web Services https://docs.umbrella.com/deployment-umbrella/docs/deploy-vas-in-amazon-web-services

  3. Secure Cloud for AWS (IaaS) https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/scloud-aws-design-guide.pdf

Hopefully, the additional documentation will help

Cisco UVA with AWS

AWS
已回答 10 個月前
profile pictureAWS
專家
已審閱 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南