Best option HA Palo Alto AWS - VPN Site to Site - Full fail over no balancing

Hello, how are you doing, I hope you are well.

In your experience, those who are clear about it and those who are not, what is the best way to implement an HA in AWS?

I understand that for full Native HA from Palo Alto, it can be done in two ways according to a Palo Alto article, where the configurations are synchronized by the HA, but there is the limitation of the same availability zone.

Now when it is in different AZ of AWS you cannot use the native HA and you have to rely on a balancer and if you do not want to do the config manually you must have a Panorama.

We have in summary for both:

Case 1: same AZ of aws, Mandatory Balancer and native HA, without the need for Panorama.

Case 2: different AZ from aws, balancer mandatory, not native HA, recommended use of Panorama.

According to your experience, considering that they will be used for Site to Site VPN, therefore it must be Full Fail over mode at the Balancing level, what is the best recommendation to love the HA of Palo Alto on AWS? With which have you had the best results?

Stay tuned

Thank you for your time, collaboration, good vibes

Greetings

Comments (2)

Reaper

Aug 21, 2023

I can only comment from experience with azure.

Since HA in Azure takes forever, I'd always recommend the LB sandwich model which is easily scalable but does require Panorama to ensure config parity

MetgatzGR

Hello master @Reaper, how is everything going, do you have any recommendation on this? thanks.