Pubslishing not working via ALB

[aymanelbacha-ismena]

Is your feature request related to a problem?

MGMT portal is published when using ALB and I don't other an option to make it healthy other than enabling healthprobes on nic0

Describe the solution you'd like

customized other ports from HTTP/HTTPS/SSH so it is not published

Describe alternatives you've considered.

using NEG as backend rather than IG, but not efficient

Additional context

.

[horiagunica]

@aymanelbacha-ismena Hello! Can did you use the swap mgmt interface option? The order of interfaces in the vmseries/autoscale is important - so when you use external LBs - the first interface MUST be the external entrypoint for the FW via the LB (typically untrust/public), then the 2nd one is MGMT and the 3rd is trust/private .

The option I'm talking about is called mgmt-interface-swap and is under the bootstrap options:

vmseries_common = {
  ssh_keys            = "admin:<YOUR_SSH_KEY>"
  vmseries_image      = "vmseries-flex-byol-1029h1"
  machine_type        = "n2-standard-4"
  min_cpu_platform    = "Intel Cascade Lake"
  service_account_key = "sa-vmseries-01"
  bootstrap_options = {
    type                = "dhcp-client"
    mgmt-interface-swap = "enable"
  }
}

[aymanelbacha-ismena]

hi @horiagunica, port swapping is done already.
I am using as NEG (network endpoint group) as backend for the moment instead of port forwarding.
I need an official docuemtation for using the port forwarding

[horiagunica]

@aymanelbacha-ismena hello! For that you would need to create an Inbound NAT - you can check the example bootstrap template from the vmseries_ha example here .

Within there you have this section within the <nat> config:

                <entry name="inbound-app1" uuid="84ea5967-03e2-408e-8e91-ba593ab86223">
                  <to>
                    <member>public</member>
                  </to>
                  <from>
                    <member>public</member>
                  </from>
                  <source>
                    <member>any</member>
                  </source>
                  <destination>
                    <member>${untrust_loopback_ip}</member>
                  </destination>
                  <service>any</service>
                  <description>Internet inbound DNAT to test VM.</description>
                  <destination-translation>
                    <translated-address>${test-vm-ip}</translated-address>
                  </destination-translation>
                  <disabled>no</disabled>
                  <source-translation>
                    <dynamic-ip-and-port>
                      <interface-address>
                        <interface>ethernet1/2</interface>
                      </interface-address>
                    </dynamic-ip-and-port>
                  </source-translation>
                </entry>

[horiagunica]

Hello @aymanelbacha-ismena !

I will be closing this issue for now . Feel free to open another one if you find any problems with any of the modules or examples within the repo.