Management Interface Mapping for Use with Amazon ELB
By default, the elastic network interface (ENI) eth0
maps to the MGT interface on the firewall and ENI eth1 maps to ethernet
1/1 on the firewall. Because the ELB can send traffic only to the
primary interface of the next hop load-balanced EC2 instance, the
VM-Series firewall must be able to use the primary interface for
The firewall can receive dataplane traffic on the primary interface
in the following scenarios where the VM-Series firewall is behind
the Amazon ELB (for a topology diagram, see VM-Series
The VM-Series firewall(s) is securing traffic outbound
directly to the internet without the need for using a VPN link or
a Direct Connect link back to the corporate network.
The VM-Series firewall secures an internet-facing application
when there is exactly one back-end server, such as a web server,
for each firewall. The VM-Series firewalls and web servers can scale
linearly, in pairs, behind ELB.
At present, for use
cases that require an ELB sandwich-type deployment to scale out
firewalls and application layer EC2 instances, swapping the management
interface will not allow you to seamlessly deploy the ELB solution.
The ability to swap the management interface only partially solves
the integration with ELB.
To allow the firewall to send and receive dataplane traffic on
eth0 instead of eth1, you must swap the mapping of the ENIs within
the firewall such that ENI eth0 maps to ethernet 1/1 and ENI eth1 maps
to the MGT interface on the firewall as shown below.
Swapping how the interfaces are mapped allows ELB to distribute
and route traffic to healthy instances of the VM-Series firewall
located in the same or different Availability Zones on AWS for increased
capacity and fault tolerance.
To swap the interfaces, you have the following options:
—When you launch the firewall, you can
either enter the
one method to consistently specify the interface swap setting—in
the bootstrap configuration, from the CLI on the firewall, or using
the Amazon EC2
field on the AWS
console—to prevent unpredictable behavior on the firewall.
Ensure that you have access to the AWS console (management console
or CLI) to view the IP address of the eth1 interface. Also, verify
that the AWS Security Group rules allow connections (HTTPS and SSH)
to the new management interface.
Swap the management interface before you configure the firewall
or define policy rules. If you have already configured the VM-Series
firewall, check whether any IP address changes for eth0 and eth1
impact policy rules.