Jump to content


Photo

can I use Barracuda NextGen Firewall via aws network load balancer(internet-facing)?


Best Answer Michael Zoller, 22 October 2018 - 04:29 AM

I would recommend to not use any kind of load balancer in front of the NG and to use EIP shifting instead. That will allow you to use a single IP address which will always be connected to the active CGF in the HA cluster. The EIP will automatically be shifted when the the other firewall takes over.

 

Using ALB does not make any sense, as this LB works on the application level. If you need an ALB, and you are only have HTTP/HTTPS traffic maybe using a Barracuda CloudGen Web Application Firewall instead of the ClougGen Firewall would make more sense.

https://github.com/barracudanetworks/ngf-aws-templates/tree/master/HA%20Cluster

Go to the full post


  • Please log in to reply
4 replies to this topic

#1 watanabe ryohei

watanabe ryohei
  • Members
  • 3 posts

Posted 19 October 2018 - 06:44 AM

Hello,

 

I want to use Barracuda NextGen Firewall via aws network load balancer(NLB)(internet-facing)

but this site say I can only use Classic Load Balancer

 

https://campus.barra...rewalls-in-aws/

 

so can I use network load balancer instead of  classic load balancer?

please tell me if you have information

 

Best Regards,

Ryohei



#2 Michael Zoller

Michael Zoller
  • Barracuda Team Members
  • 188 posts

Posted 19 October 2018 - 06:50 AM

Sure you can use a network load balancer in front of an CGF in AWS - but there is no real use for it unless you are deploying an autoscaling cluster. The NLB has one public IP address per AZ - which you can have just as easily by directly attaching an EIP to the CGF and then configuring a Route53 record with an health check to always use the active firewall.

 

If you are deploying an HA cluster you can use this template which does EIP shifting instead: https://github.com/barracudanetworks/ngf-aws-templates/tree/master/HA%20Cluster



#3 watanabe ryohei

watanabe ryohei
  • Members
  • 3 posts

Posted 21 October 2018 - 11:55 PM

Hi Michael.

 

thank you for your reply!

I will try your solution to use Network Load Balancer.

 

by the way, can I use aws Application Load Balancer for same situation?

maybe I can not to use ALB because ALB supports only HTTP/HTTPS protocol.

I think Barracuda NextGen Firewall wants to use TCP:691 protocol for health check.

 

Best Regards,

Ryohei



#4 Michael Zoller

Michael Zoller
  • Barracuda Team Members
  • 188 posts

Posted 22 October 2018 - 04:29 AM   Best Answer

I would recommend to not use any kind of load balancer in front of the NG and to use EIP shifting instead. That will allow you to use a single IP address which will always be connected to the active CGF in the HA cluster. The EIP will automatically be shifted when the the other firewall takes over.

 

Using ALB does not make any sense, as this LB works on the application level. If you need an ALB, and you are only have HTTP/HTTPS traffic maybe using a Barracuda CloudGen Web Application Firewall instead of the ClougGen Firewall would make more sense.

https://github.com/barracudanetworks/ngf-aws-templates/tree/master/HA%20Cluster



#5 watanabe ryohei

watanabe ryohei
  • Members
  • 3 posts

Posted 28 October 2018 - 10:23 PM

Hi Michael.

 

Thank you for your answer!!

I'll try to set up EIP shifting for Barracuda NextGen Firewall

 

Best Regards,

Ryohei