Management Interface Mapping for Use with Amazon ELB

By default, the elastic network interface (ENI) eth0 maps to the MGT interface on the firewall and ENI eth1 maps to ethernet 1/1 on the firewall. Because the ELB can send traffic only to the primary interface of the next hop load-balanced EC2 instance, the VM-Series firewall must be able to use the primary interface for dataplane traffic.
The firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM-Series firewall is behind the Amazon ELB Service (for a topology diagram, see Auto Scale VM-Series Firewalls with the Amazon ELB Service):
  • The VM-Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network.
  • The VM-Series firewall secures an internet-facing application when there is exactly one back-end server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind ELB.
    At present, for use cases that require an ELB sandwich-type deployment to scale out firewalls and application layer EC2 instances, swapping the management interface will not allow you to seamlessly deploy the ELB solution. The ability to swap the management interface only partially solves the integration with ELB.
To allow the firewall to send and receive dataplane traffic on eth0 instead of eth1, you must swap the mapping of the ENIs within the firewall such that ENI eth0 maps to ethernet 1/1 and ENI eth1 maps to the MGT interface on the firewall as shown below.
AWS_ec2_mgt_swap.png
Swapping how the interfaces are mapped allows ELB to distribute and route traffic to healthy instances of the VM-Series firewall located in the same or different Availability Zones on AWS for increased capacity and fault tolerance.
The interface swap is only required when the VM-Series firewall is behind the Amazon ELB Service. If your requirement is to deploy the VM-Series firewalls in a traditional high availability set up, you don’t need to configure the interface swap that is described in this section. Continue to High Availability for VM-Series Firewall on AWS.
To swap the interfaces, you have the following options:
  • At launch—When you launch the firewall, you can either enter the mgmt-interface-swap=enable command in the User data field on the AWS management console (see Launch the VM-Series Firewall on AWS) or CLI or you can include the new mgmt-interface-swap operational command in the bootstrap configuration.
  • After launch—After you launch the firewall, Use the VM-Series Firewall CLI to Swap the Management Interface (set system setting mgmt-interface-swap enable yes operational command) on the firewall.
    • Pick one method to consistently specify the interface swap setting—in the bootstrap configuration, from the CLI on the firewall, or using the Amazon EC2 User data field on the AWS console—to prevent unpredictable behavior on the firewall.
    • Ensure that you have access to the AWS console (management console or CLI) to view the IP address of the eth1 interface. Also, verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface.
    • Swap the management interface before you configure the firewall or define policy rules. If you have already configured the VM-Series firewall, check whether any IP address changes for eth0 and eth1 impact policy rules.

Related Documentation