SQS Messaging Between the Application Template and Firewall Template (v2.1)

Post a message to the SQS URL to enable the lambda function in the firewall template to detect added or deleted network load balancers or application load balancers.
VM-Series firewalls deployed using one of the firewall templates can detect and send traffic to the load balancers to which you want to automatically distribute incoming traffic. To accomplish this, the firewall template includes a lambda function that monitors a Simple Queue Service for messages. The message allows the lambda function to learn about a new load balancer and then automatically create a NAT policy rule on the firewall to send traffic to the load balancer’s IP. To route traffic properly within the AWS infrastructure, the message must also include basic information on the DNS, VPC ID, and the AZ to which the load balancer belongs.
If you are building your own application template, you must set up your application template to post ADD and DEL messages to the SQS URL that the firewall template uses to learn about load balancers to which it must distribute traffic in your environment:
  • ADD-NLB message that informs the firewalls when a new network load balancer is available.
  • DEL-NLB message that informs the firewalls when a network load balancer has been terminated and is no longer available.
  • ADD-ALB message that informs the firewalls when a new application load balancer is available.
  • DEL-ALB message that informs the firewalls when a application load balancer has been terminated and is no longer available.
The following examples of each message type include sample values. You must modify these messages with values that match your deployment.
ADD-NLB Message
msg_add_nlb= {
       "MSG-TYPE": "ADD-NLB",
       "AVAIL-ZONES": [
       {
           "NLB-IP":"192.168.2.101", 
           "ZONE-NAME":"us-east-2a",
           "SUBNET-ID": "subnet-2a566243"
       },
       {
           "NLB-IP":"192.168.12.101",
           "ZONE-NAME":"us-east-2b",
           "SUBNET-ID": "subnet-2a566243 "
       }
       ],
            "DNS-NAME": "publicelb1-2119989486.us-east-2.elb.amazonaws.com",
           "VPC-ID": "vpc-42ba9f2b",
           "NLB-NAME": "publicelb1" 
}
DEL-NLB Message
msg_del_nlb= {
 "MSG-TYPE": "DEL-NLB",
 "DNS-NAME": "publicelb1-2119989486.us-east-2.elb.amazonaws.com", 
}
ADD-ALB
{   "AVAIL-ZONES": [
       {
           "SUBNET-CIDR": "172.32.0.0/24",
           "SUBNET-ID": "subnet-0953a3a8e2a8208a9",
           "ZONE-NAME": "us-east-2a"
       },
       {
           "SUBNET-CIDR": "172.32.2.0/24",
           "SUBNET-ID": "subnet-0a9602e4fb0d88baa",
           "ZONE-NAME": "us-east-2c"
       },
       {
           "SUBNET-CIDR": "172.32.1.0/24",
           "SUBNET-ID": "subnet-0b31ed16f308b3c4d",
           "ZONE-NAME": "us-east-2b"
       }
   ],
   "VPC-PEERCONN-ID": "pcx-0538bb05dbe2e1b8e",
   "VPC-CIDR": "172.32.0.0/16",
   "ALB-NAME": "appILB-908-0",
   "ALB-ARN":"arn:aws:elasticloadbalancing:us-east-2:018147215560:loadbalancer/app/appILB-908-0/1997ed20eeb5bcef",
   "VPC-ID": "vpc-0d9234597da6d9147",
   "MSG-TYPE": "ADD-ALB",
   "DNS-NAME": "internal-appILB-908-0-484644265.us-east-2.elb.amazonaws.com"
}
DEL-ALB Message
{
   "MSG-TYPE": "DEL-ALB",
   "DNS-NAME": "internal-appILB-908-0-484644265.us-east-2.elb.amazonaws.com"
}
Refer to the AWS documentation for details on how to send a message to an Amazon SQS Queue.

Related Documentation