Hi all,
Long time lurker, first time poster :)
I'm hoping to get some help regarding Azure HA and Firewalls.
I'm deploying 2x firewalls (Palo Alto) in Azure. I understand that they won't be a pair but will be singles in an active/active availability set, sandwiched between two load balancer's (internal,external).
Here's where i'm lost..
- LB's; Just to confirm the LB's in Azure only really work in one direction? they aren't routers and there is a hidden system router using UDR's to route traffic? If seems that my deployed machines using DHCP set their default gateway to the first IP in the network. Is this the System router or the LB or both? If my machine wants to go outbound for internet traffic how does my machine going outbound know to use the LB because there is a configured pool or just to route out straight to a firewall IP or other device i have configured? is this the purpose of UDR routes ? to route traffic to the LB or to another IP or is all the traffic supposed to go in and out of the LB?
- Backend pools; The only option I have on the Loadbalacers seems to be create backend pools on LB to listen for single tcp or udp ports and send to the firewalls. Can I not have it LB all traffic to my firewalls? having to create a backed pool to listen on every service seems odd? (potentially hundreds?)
- When I do create a backpool it does seem to work to my internal server but only if I use NAT on the firewall. When the packet leaves the inside address of the firewall to the server I seem to have to NAT the source to the inside address of the firewall. This does make sense as now the return packet knows to send it back to the same firewall and not the internal LB but this means I have to create NAT statements for every packet in and out on both firewalls? This this correct?
- Hosting services; I have been told that only the External LB can have multiple Public IP address (not the FW's) however I can see this being an issue. Even if I have two public IP's on the External LB with pools going to my firewalls. lets say this traffic is to different RDP servers. When the traffic arrives at the firewall there is nothing unique about the traffic in order for me to NAT the packet to the correct server for each public IP. I understand SNAT but I've been told this isn't an option. Even if It was an option it will SNAT to the inside address of the EXT LB? if I do this the traffic still all looks the same from the firewall's point of view? how do I NAT each service?
Sorry if this isn't the correct place.
Thanks for your help in advance.
No comments:
Post a Comment