Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASG Module - Automatically select a Panorama template based on Availability Zone #72

Closed
mattdc10 opened this issue Aug 14, 2024 · 2 comments
Closed

ASG Module - Automatically select a Panorama template based on Availability Zone #72

mattdc10 opened this issue Aug 14, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@mattdc10
Copy link

mattdc10 commented Aug 14, 2024
edited
Loading

Is your feature request related to a problem?

The bootstrap data / userdata is the same no matter which AZ the ASG deploys VM-Series into, meaning that the Panorama template assignment also stays the same. Therefore, manually changing the template assignment is required after the firewall is deployed, which effectively breaks autoscaling.

Describe the solution you'd like

firewalls deployed into region-1a should ask for panorama template region-1a, and so on

Describe alternatives you've considered.

Manually reassign the template in Panorama after deployment
Modify the Lambda function to change the template after startup
Deploy the VM-series with only 1 interface and use an AWS IGW / NATGW (not sure this is even possible)

Additional context

According to the documentation, the public interface should be set to "Automatically create default route pointing to default gateway provided by server" and the GWLB interfaces should have static routes with a variable used for the Default Gateway address. (https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/aws-transit-gateway-deployment-guide page 80)

Thanks!
@mattdc10 mattdc10 added the enhancement New feature or request label Aug 14, 2024
@sebastianczech
Copy link
Contributor

hi @mattdc10 , in all autoscale examples available in this repository, we used different approach with 1 template, in which we configured multiple static routes with path monitoring .

Please take a look e.g. on README for https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/tree/main/examples/combined_design_autoscale example, especially on chapter Details - static routes with path monitoring, where you find why and what to do to make it working.

Moreover you can also find here https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/blob/main/examples/combined_design_autoscale/template-asg-path-monitoring.xml example of template with path monitoring configured.

Using that approach we can avoid creating multiple templates per AZ. Is that approach applicable in your environment ?

@mattdc10
Copy link
Author

Hey, thank you for the reply! Yes, this should work. Not sure how i missed it while reading these documents 500 times :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebastianczech @mattdc10