Create Cloud NGFW for AWS Endpoints
Focus
Focus
Cloud NGFW for AWS

Create Cloud NGFW for AWS Endpoints

Table of Contents

Create Cloud NGFW for AWS Endpoints

Create and view endpoints for Cloud NGFW for AWS.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for AWS
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Account (CSP)
  • AWS Marketplace account
  • User role (either tenant or administrator)
If you selected customer-managed mode when creating an NGFW, you must manually create the NGFW endpoints for your chosen subnets. In the AWS console, NGFW endpoints appear as gateway load balancer endpoints.
The subnets where you attach NGFW endpoints must be in the virtual private cloud (VPC) you specified during NGFW creation.
  1. From the Cloud NGFW tenant, select NGFWs and click on your firewall.
  2. Select Endpoints and note the VPC Endpoint Service Name.
  3. Log in to the AWS console.
  4. Select ServicesNetworking & Content DeliveryVPC.
  5. From the VPC Dashboard, select EndpointsCreate Endpoint.
  6. Select Find service by name that corresponds to the VPC Endpoint Service Name you noted above.
  7. Select the VPC you specified during firewall creation from the drop-down.
  8. Select the subnets where you want to create NGFW endpoints.
  9. Click Create endpoint.
    If you have subscribed to your tenant before July 21, 2025, you must onboard the AWS account to the Cloud NGFW tenant before creating endpoints in any of its VPCs. If you subscribed to Cloud NGFW after July 21, 2025, your tenant version is Version 2. See determine your tenant version for more information. In these tenants, you no longer need to onboard the AWS account to create endpoints; you simply allowlist the AWS account when creating or updating Cloud NGFW resources.
    To configure endpoint management on the tenant created after July 21:
  10. In the Cloud NGFW console, select the NGFWs icon.
  11. Select the firewall you want to configure.
  12. Select Endpoint Management in the left navigation pane. Use this page to manage allowlist AWS accounts and add endpoints.
    1. Click Manage Allowlist AWS Accounts to allow your Cloud NGFW resource to use existing AWS accounts; accounts that are included in the allowlist are displayed.
    2. Use the Endpoints section of the page to view existing VPC endpoint service names. Click Add Endpoint to include another endpoint.
    Creating multiple endpoints on a single subnet is not supported. You need multiple subnets for a VPC to create multiple Cloud NGFW endpoints.
    You cannot delete endpoints using the service console when configured for customer-managed mode. You will have to navigate to the Endpoints page in the AWS console to delete these endpoints.