The Panorama plugin for AWS 3.0.1 or later orchestrates VM-Series firewall deployments in AWS and enables security policies for managed firewalls. AWS Orchestration is designed as a plug-and-play model for setting up security deployments in AWS. It simplifies the deployment of the existing Gateway Load Balancer (GWLB) solution by bringing all configuration into one screen on Panorama. Panorama lets the plugin manage your deployment and configure resources. This plugin also performs firewall management by generating the needed baseline configuration to get traffic flowing for the deployment. When you configure the policies, the plugin services Inbound, Outbound, and east-west flows for all traffic protocols. Use this plugin to configure, deploy, and manage your security deployments.

The image below highlights the topology of the Security VPC deployment. Here, all security resources are deployed into the plugin-managed Security VPC. The GWLB solution is leveraged to redirect traffic from your applications to the firewall stack.

As part of the infrastructure setup on the AWS cloud, the plugin creates Security VPC with GWLB endpoints, firewalls, and NAT Gateway subnets and route tables. The plugin does not create AWS Transit Gateway (TGW).

VM-Series firewall can inspect traffic routed between the VPCs.

The Inbound traffic flow originating in the Application VPC flows in through IGW is redirected to the GWLB endpoint based on edge route. The traffic enters through the GWLB endpoint to the firewalls in the Security VPC for inspection. After the inspection, the traffic is sent back to the GWLB endpoint and directed to the original application.

For Outbound and East-West traffic, this solution leverages TGW. When you create a TGW, the plugin creates TGW attachments and route tables in the Security VPC. You have to attach your Application VPC to the TGW used in the Security VPC configuration. Also direct the Outbound and East-West traffic to the TGW by adding routes to the route tables associated with your workload subnets. You have to modify the Application VPC attachment route table to direct the East-West and Outbound traffic to the Security VPC attachment.

The plugin monitors TGW attachments to learn any newly added and deleted VPC attachments. When the plugin detects an existing or new attachment, it makes necessary changes in the Security VPC to ensure that the firewall inspects the traffic entering TGW before sending it back to the TGW. These changes include adding routes to the NAT Gateway route table to direct Outbound traffic back to the GWLB endpoint, and to the GWLB endpoint route table to return traffic to the TGW after inspection. The plugin updates the TGW attachment route table to ensure that the traffic coming back from the Security VPC to the TGW is sent to the correct Application attachment. Traffic from the Application VPC is directed to TGW through routing. When traffic hits the TGW attachment in Security VPC, the attachment route table sends the traffic to the Security VPC. From there, it's directed to the existing GWLB endpoint, then to the firewall for inspection. The Outbound traffic flows out to the original destination address through NAT Gateway. The East-West traffic is sent back to the TGW where the route table directs the traffic to the original destination address.