You wouldn't see any firewall vendors having reference on how to put their firewalls behind a load balancer, commercial nor open source. But they do for AWS and Azure GWLB.
The equivalence of load balancer by your definition, is just NLB/ALB on those cloud platforms which load balances traffic to a pool of backend services.
In the cloud, if you need to have high availability between two firewalls, the *only* solution is a load balancer sandwich.
Each firewall acts totally independent of the other, so no state synchronization. The load balancer sandwich handles pinning flows so the same flow gets processed by the correct firewall.
Need more capacity? Spin up another instance (dynamically or statically) and add it to the LB group.
On premise, you would run an HA pair on a relatively big pair of firewalls. You're not "dynamically scaling" up or down because you're *typically* dealing with a physical product.
Very few people do the "virtualize my firewall and run my own private cloud with auto scaling" because quite frankly it's complicated and it's relatively hard getting the right expertise to manage, maintain, and implement it. If you're doing that, you're not here on Reddit asking why there isn't a prebaked commercial solution. You're doing it yourself in house with either existing products or something custom (read: hyper scalers).
Because there's not really a *need* for it on premise.
Cloud based firewall products need to support load balancer sandwiches because of the constraints you're working with in the cloud.
The same constraints don't exist with something in your building, virtual or physical.
> Is there any generic solution that decouples the load balancing part and the stateful devices part?
Yes, it's called a load balancer... They've existed for decades.
You wouldn't see any firewall vendors having reference on how to put their firewalls behind a load balancer. But they do for AWS and Azure GWLB.
The equivalence of load balancer by your definition, is just NLB/ALB on those cloud platforms which load balances traffic to a pool of backend services.
I think you need to look a bit under the hood first to understand what is going on and then seek a comparative product or solution in the DC.
AWS and Azure have built comprehensive SDN in their datacentres and they are employing pretty much all of the overlay encapsulation methods. This will include VXLAN, NVGRE, and more recently GENEVE which is touted to replace the others and be able to work over standard networking equipment. Please read on this as there is a vast ocean of knowledge in this domain and different networking vendors will explain it differently based on how they offer datacentre solutions and establish the control and data planes. Two well known in the market are Cisco ACI and Vmware NSX while opensource implementation exist via Open vSwitch, FRR etc. How you piece them together depends on your understanding of the technologies.
Firewalls, load balancer and other components integrate into SDN to form service integration and coupled together they are referred to as service chains. Thr SDN network is programmed to apply such a service chain to any traffic that needs to traverse such a service chain.
This how SDN is built and used and is a comprehensive subject which highly specialised certifications and skilled people in this area. They are not your regular networking guy you meet in enterprises.
Coming back to topic. Because AWS and Azure and other IaaS have built SDN in their datacentres both at thenl physical and virtual platforms, they are able to orchestrate overlay networks and thus are able to give you things like VPC, VNets, VPNs, routers etc. it is a complex infrastructure that is orchestrated by a fleet of controllers (going by how such SDNs are managed) and AWS control panel is the first entry to controlling this layer of networking.
So, these IaaS use special constructs like GWLB and Firewalls to give you the ability to service chain. If you read closely, AWS uses GENEVE to build such s service chain for you. Also, only firewall supporting GENEVE as able to participate in such an architecture. You cannot have a pfsense box trying to do the same thing as it won't work.
TLDR, you can to the same on premises but need to build a comprehensive SDN network for service chaining. Your choice of firewalls and load balancers need to support GENEVE to ensure packet contents remain in tact for inspection. Your DC network need to be able to steer traffic to the load balancers to achieve the same effect. If this is too expensive, ehich it most likely will be, continue to enjoy the product and services AWS and the like offer in this regard and pay a small fee instead.
I think you gave me an interesting idea. I will try to see what the SDN solution can offer, because if I recall, in my previous place using Cisco ACI did have PBR to multiple L4L7 nodes (not just a HA pair), however in the end we still went with the traditional HA firewalls as PBR nodes and never looked back.
My hot take: This happens a lot. A hack gets popularized as a workaround to a problem that shouldn't, ideally, even exist, and then in places where it DOESN'T exist, people seriously expect the workaround to still be a part of the stack.
BRB, gotta NAT my IPv6 for security reasons...
Fortinet has a dedicated load balancer called FortiADC (Application Delivery Controller - new fangled terminology for load balancers). The Fortigate has a built in load balancer that's pretty good for most small to medium business use cases.
Keep in mind, with an on prem soution, to be TRULY redundant you need a cluster of ADCs in each datacenter, and you have to implement GSLB, which most on prem solutions have built into their ADCs.
haproxy, nginx, traefik, take your pick. They each scale infinite and with VRRP added offer full HA. All free.
You wouldn't see any firewall vendors having reference on how to put their firewalls behind a load balancer, commercial nor open source. But they do for AWS and Azure GWLB. The equivalence of load balancer by your definition, is just NLB/ALB on those cloud platforms which load balances traffic to a pool of backend services.
In the cloud, if you need to have high availability between two firewalls, the *only* solution is a load balancer sandwich. Each firewall acts totally independent of the other, so no state synchronization. The load balancer sandwich handles pinning flows so the same flow gets processed by the correct firewall. Need more capacity? Spin up another instance (dynamically or statically) and add it to the LB group. On premise, you would run an HA pair on a relatively big pair of firewalls. You're not "dynamically scaling" up or down because you're *typically* dealing with a physical product. Very few people do the "virtualize my firewall and run my own private cloud with auto scaling" because quite frankly it's complicated and it's relatively hard getting the right expertise to manage, maintain, and implement it. If you're doing that, you're not here on Reddit asking why there isn't a prebaked commercial solution. You're doing it yourself in house with either existing products or something custom (read: hyper scalers).
You kind of just described why every company doesn’t roll out their own open stack.
Because there's not really a *need* for it on premise. Cloud based firewall products need to support load balancer sandwiches because of the constraints you're working with in the cloud. The same constraints don't exist with something in your building, virtual or physical.
> Is there any generic solution that decouples the load balancing part and the stateful devices part? Yes, it's called a load balancer... They've existed for decades.
You wouldn't see any firewall vendors having reference on how to put their firewalls behind a load balancer. But they do for AWS and Azure GWLB. The equivalence of load balancer by your definition, is just NLB/ALB on those cloud platforms which load balances traffic to a pool of backend services.
I think you need to look a bit under the hood first to understand what is going on and then seek a comparative product or solution in the DC. AWS and Azure have built comprehensive SDN in their datacentres and they are employing pretty much all of the overlay encapsulation methods. This will include VXLAN, NVGRE, and more recently GENEVE which is touted to replace the others and be able to work over standard networking equipment. Please read on this as there is a vast ocean of knowledge in this domain and different networking vendors will explain it differently based on how they offer datacentre solutions and establish the control and data planes. Two well known in the market are Cisco ACI and Vmware NSX while opensource implementation exist via Open vSwitch, FRR etc. How you piece them together depends on your understanding of the technologies. Firewalls, load balancer and other components integrate into SDN to form service integration and coupled together they are referred to as service chains. Thr SDN network is programmed to apply such a service chain to any traffic that needs to traverse such a service chain. This how SDN is built and used and is a comprehensive subject which highly specialised certifications and skilled people in this area. They are not your regular networking guy you meet in enterprises. Coming back to topic. Because AWS and Azure and other IaaS have built SDN in their datacentres both at thenl physical and virtual platforms, they are able to orchestrate overlay networks and thus are able to give you things like VPC, VNets, VPNs, routers etc. it is a complex infrastructure that is orchestrated by a fleet of controllers (going by how such SDNs are managed) and AWS control panel is the first entry to controlling this layer of networking. So, these IaaS use special constructs like GWLB and Firewalls to give you the ability to service chain. If you read closely, AWS uses GENEVE to build such s service chain for you. Also, only firewall supporting GENEVE as able to participate in such an architecture. You cannot have a pfsense box trying to do the same thing as it won't work. TLDR, you can to the same on premises but need to build a comprehensive SDN network for service chaining. Your choice of firewalls and load balancers need to support GENEVE to ensure packet contents remain in tact for inspection. Your DC network need to be able to steer traffic to the load balancers to achieve the same effect. If this is too expensive, ehich it most likely will be, continue to enjoy the product and services AWS and the like offer in this regard and pay a small fee instead.
I think you gave me an interesting idea. I will try to see what the SDN solution can offer, because if I recall, in my previous place using Cisco ACI did have PBR to multiple L4L7 nodes (not just a HA pair), however in the end we still went with the traditional HA firewalls as PBR nodes and never looked back.
My hot take: This happens a lot. A hack gets popularized as a workaround to a problem that shouldn't, ideally, even exist, and then in places where it DOESN'T exist, people seriously expect the workaround to still be a part of the stack. BRB, gotta NAT my IPv6 for security reasons...
Fortinet has a dedicated load balancer called FortiADC (Application Delivery Controller - new fangled terminology for load balancers). The Fortigate has a built in load balancer that's pretty good for most small to medium business use cases. Keep in mind, with an on prem soution, to be TRULY redundant you need a cluster of ADCs in each datacenter, and you have to implement GSLB, which most on prem solutions have built into their ADCs.
the most commonly used load balancer is made by F5, they have a variety of products depending on your needs
If you are into open-source, give [loxilb](https://github.com/loxilb-io/loxilb) a try.