Elastic Load Balancing (ELB) is an Amazon web service that helps you improve the availability and scalability of your applications by routing traffic across multiple Elastic Compute Cloud (EC2) instances. ELB detects unhealthy EC2 instances and reroutes traffic to healthy instances until the unhealthy instances are restored. ELB can send traffic only to the primary interface of the next-hop, load-balanced EC2 instance. Therefore, to use ELB with a VM-Series firewall in AWS, the firewall must be able to use the primary interface (eth0) for dataplane traffic instead of management traffic.
Beginning with PAN-OS 7.1, you can configure the firewall to receive dataplane traffic on the primary interface in scenarios where the VM-Series firewall is behind the Amazon ELB. Before PAN-OS 7.1, the VM-Series firewall could not integrate with ELB because ELB could forward traffic only to the primary (eth0) elastic network interface (ENI) of an EC2 instance. You now have the ability to enable the primary interface on the VM-Series firewall to function as a dataplane interface, instead of functioning as the management interface, so that ELB can forward traffic to the firewall.
You cannot configure the firewall to send and receive dataplane traffic on eth0 when the firewall is in front of ELB. The VM-Series firewall must be placed behind the Amazon ELB to leverage this capability.
If you want to deploy a load balancer sandwich topology, you must use the CFT, see Auto Scale VM-Series Firewalls with the Amazon ELB.
To learn about specific scenarios and about how to use management interface mapping changes for use with Amazon ELB, see VM-Series Firewall in AWS.
Use the AWS Management Console to Swap the Management Interface
Use these instructions when you are launching the firewall to perform a swap so that Elastic Network Interface (ENI) eth0 maps to ethernet1/1 and ENI eth1 maps to the MGT interface on the firewall.
Management Interface Swap on the VM-Series Firewall Using the AWS Management Console
On the EC2 Dashboard, click
Select the VM-Series Amazon Machine Image (AMI). To get the AMI, see Obtain the AMI.
EC2 instance type
for allocating the resources required for the firewall and click
Next. See EC2 instance types
for a list of supported types.
Select the Amazon Virtual Private Cloud (VPC) and the subnet to which the VM-Series management interface will attach.
Launch as an EBS-optimized instance
to leverage Amazon Elastic Block Store (EBS) benefits.
Expand the Network Interfaces section
to add another network interface.
Swapping interfaces requires a minimum of two ENIs (eth0 and eth1). Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.
If you launch the firewall with only one ENI, the interface swap command will cause the firewall to boot into maintenance mode.
Expand the Advanced Details section
to perform the interface swap during launch.
Accept the default
Add one or more tags to create your own metadata to identify the VM-Series firewall. For example, add a
tag with a
that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall.
Select an existing
or create a new one. This security group is for restricting access to the management interface of the firewall. At a minimum, consider enabling HTTPS and SSH access for the management interface (eth1).
If prompted, select an appropriate
option for your setup.
Review and Launch
to ensure your selections are accurate and then click
Launch. Select an existing key pair or create a new one and acknowledge the key disclaimer.
Download and save the private key to a safe location; the file extension is .pem.
You cannot regenerate this key if lost.
View the progress of the installation on the EC2 Dashboard. It can take five minutes or longer to launch the VM-Series firewall. When the process is complete, the VM-Series firewall will display on the
page of the EC2 Dashboard.
Assign an EIP to eth1 and then use the EIP address to open an SSH session to the CLI of the VM-Series firewall and configure the administrative password.
Verify that the interfaces have been swapped. Use the following command to verify:
debug show vm-series interfaces all
Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver
mgt(interface-swap) eth0 0e:53:96:91:ef:29 0000:00:04.0 ixgbevf
Ethernet1/1 eth1 0e:4d:84:5f:7f:4d 0000:00:03.0 ixgbevf
If you want to swap the management interface on a VM-Series firewall that you have already deployed, use the VM-Series Firewall CLI.
Configure ELB Health Checks
ELB periodically checks the health of the EC2 instance using pings or by sending requests to test the availability of the firewall. On the Amazon EC2 console, configure the health check to use port 80 or 443 of the web server behind the firewall. This allows you to compute the health using the total path of the HTTP request and includes routing on the firewall, NAT, and availability of the web server itself. For instructions on configuring health checks, refer to the AWS documentation.