So that the VM-Series firewalls deployed using
the firewall-v2.0.template can detect and send traffic to the network
load balancers to which you want to automatically distribute incoming
traffic, the firewall template includes a lambda function that monitors
a Simple Queue Service for messages. The message allows the lambda function
to learn about a new network load balancer and then automatically
create a NAT policy rule on the firewall to send traffic to the
IP address of the network load balancer. In order to route traffic
properly within the AWS infrastructure, the message must also include
basic information on the DNS, VPC ID, and the AZ to which the network
load balancer belongs.
If you are building your own application
template, you must set up your application template to post two
types of messages to the SQS URL that the firewall template in the
VM-Series autoscaling template version 2.0 uses to learn about network
load balancers to which it must distribute traffic in your environment:
ADD-NLB message that informs the firewalls when a new network
load balancer is available.
DEL-NLB message that informs the firewalls when a network
load balancer has been terminated and is no longer available.
The
following examples of each message type includes sample values.
You need to modify these message with values that match your deployment.
msg_add_nlb= { 'MSG-TYPE': 'ADD-NLB', 'AVAIL-ZONES': [{'NLB-IP':'192.168.2.101', 'ZONE-NAME':'us-east-2a', 'SUBNET-ID': 'subnet-2a566243'}, {'NLB-IP':'192.168.12.101', 'ZONE-NAME':'us-east-2b', 'SUBNET-ID': 'subnet-2a566243 '}], 'DNS-NAME': 'publicelb1-2119989486.us-east-2.elb.amazonaws.com', 'VPC-ID': 'vpc-42ba9f2b', 'NLB-NAME': 'publicelb1' }
msg_del_nlb= { 'MSG-TYPE': 'DEL-NLB', 'DNS-NAME': 'publicelb1-2119989486.us-east-2.elb.amazonaws.com', }
Refer
to the AWS documentation for details on how to send a message to
an Amazon SQS Queue, or review the
describe_nlb_dns.py
in
the sample application template package to see how the application
template constructs the messages.
