Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Deploying NSv in AWS - Elastic IPs

Hi - I've successfully deployed NSv in AWS. I can ping local LAN EC2 instances within the VPC from the SonicWall. In following the guides, the routing is such that all inbound and outbound traffic is supposed to flow through the NSv. If I need to access an EC2 instance from the outside (such as a web server with its own public IP), how should this be implemented? Does the EC2 still get the elastic IP assigned to it somehow? Maybe the WAN interface of the NSv should have multiple elastic IPs assigned to it? This scenario is not explained in any of the documentation I can find.

Normally, in my physical NSAs, I'd have all internal VMs or physical servers with only LAN IPs, then configure my public IPs as address objects in the firewall, and configure NAT and access rules to get the traffic to the right place.

Finally, although it's small, according to AWS documentation, there is a small hourly charge to have multiple elastic IPs assigned to the same interface - in case the WAN interface of the NSv has to have multiple IPs assigned to it.

Thoughts? Thank you.

Category: Virtual Firewall
Reply

Best Answer

Answers

  • Hi @R1CHR,

    Thank you for visiting SonicWall Community.

    You can specify Allocation ID of an existing Elastic IP address. This EIP can connect to the WAN interface of the NSv. If this field is left blank, the system allocates a new EIP.

    Please refer page 25, 26, 29 and 30 from the below web-link. These pages contain some information about EIP in detail.

    Hope this helps. Let us know if any questions further.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • R1chRR1chR Newbie ✭

    Hi Saravanan,

    Unfortunately that does not answer the question. I already had an elastic IP address associated with the X1 (eth0) interface. I stated that I was able to deploy the NSv, and also ping existing LAN IPs from the NSv.

    What I don't know how to do is configure additional EC2 instances to have public services, such as a web server, if they are "behind" the NSv. Do I attach the elastic public IPs to the EC2 instance, and do something with the firewall rules to pass that traffic through? Do I try to associate more than 1 elastic IPs to the NSv WAN interface (which I already tried, and failed).

    In other words, if I have multiple EC2 instances behind the NSv, and they each need a public IP, how do I configure that?

    Thanks

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited December 2020
    Disclaimer: I'am doing this with a non SonicWall solution on AWS 
    but the principle is the same. Running a gateway with just two interfaces.
    

    Hi @R1chR

    your NSv instance has to have two interfaces at least, one internal and one external. EIP is bound to the external (X1). On the internal side I have some form of a transfer network, all additional networks need to be routed over x.x.x.1 of that network. You can do your usual NAT on the Firewall.

    In your VPC configuration you need a routing policy for your internal traffic to the interface ID of the X0 interface object. This has to be assigned to each internal subnet. All routing behind the Firewall is handled by VPC. Make sure you have set your Security Groups accordingly.

    On your firewall instance make sure to disable Source/Destination check in the network settings.

    That's all what I can think of, AWS/VPC needs a little bit of understanding.

    Your mileage will vary if you're deploying a larger instance with more network interfaces.

    --Michael@BWC

  • R1chRR1chR Newbie ✭

    MASTERROSHI's post contains the answer - thank you very much.

    Summary and slightly more thorough explanation for the solution: In AWS, NAT for elastic public IPs is done outside the internet gateway. So it's essentially on the edge of the VPC. Remember, when you created two subnets, WAN and LAN, they are both within your VPC. Assuming you get the NSv set up correctly initially (following the Getting Started Guide), your routing will have ALL the traffic going into your VPC through the NSv, and all outbound traffic also going through the NSv. Just follow the normal directions.

    After initial installation, your NSv has an elastic IP associated with the WAN interface private IP. To add additional elastic IPs, in AWS console, go to "Network Interfaces," choose your WAN interface -> Manage IP Addresses, assign new IP. Add an additional IP from your WAN subnet (ether be specific, or let AWS choose) - to me, I prefer to choose an unused address. Then, go to Elastic IPs -> Allocate new address (or associate one you already have), and associate it with the WAN IP address you just created on the WAN interface in AWS.

    Essentially, your listing in the NSv Network Interfaces for X1 will list the "primary" WAN subnet IP, NOT the elastic IP. Elastic IPs will not be listed anywhere in the NSv because the NAT is done before the AWS Internet gateway. This is where I got stuck. Once you're done adding the elastic IP/WAN IP pairs, you'll need to create your firewall rules and NAT rules to the appropriate "inside" EC2 instance (its private IP), but only using the new WAN IP on the NSv.

    Note: when you look at the NSv Network interfaces, leave X1 as DHCP - AWS has it reserved when you created the instance.

    Shout out to Cameron!

Sign In or Register to comment.