>
    Strata Copilot
    VM-Series Auto Scaling Group with AWS Gateway Load Balancer
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on AWS
    4. VM-Series Integration with an AWS Gateway Load Balancer
    5. VM-Series Auto Scaling Group with AWS Gateway Load Balancer
    Download PDF
    VM-Series

    VM-Series Auto Scaling Group with AWS Gateway Load Balancer

    Table of Contents

    VM-Series Auto Scaling Group with AWS Gateway Load Balancer

    Configure the VM-Series auto scaling group to deploy VM-Series in AWS GWLB.
    Where Can I Use This?What Do I Need?
    • AWS
    • AWS account
    • Amazon Machine Image (AMI) ID
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for AWS
    The Palo Alto Networks auto scaling template for AWS helps you integrate and configure the VM-Series firewall with a GWLB to protect applications deployed in AWS. The template leverages AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in application workload resource demand.
    These templates are community supported.
    This solution provides a security VPC template and an application template. The security VPC template deploys the VM-Series firewall auto scaling group, a GWLB, a GWLBE, GWLBE subnet, security attachment subnet, and a NAT gateway for each availability zone. Download the CloudFormation templates from the Palo Alto Networks GitHub Repository.
    The VM-Series auto scaling template for integration with an AWS GWLB includes the following building blocks:
    Building Block
    Description
    PAN Components
    • Panorama running 10.0.2 or later
    • PAN-OS 10.0.2 or later
    • VM-Series plugin 2.0.2 or later installed on Panorama
    Firewall template
    (Community supported template)
    Based on the number of availability zones (AZs) you choose, the firewall-new-vpc-v3.0.template deploys the following:
    The template supports a maximum of four AZs.
    • Subnets for Lambda management, transit gateway attachments, GWLB endpoints, and NAT gateways, as well as trust subnets.
    • Routes tables for each subnet
    • Transit gateway attachments and route tables
    • NAT and internet gateways
    • An auto scaling group with one VM-Series firewall per AZ.
    • One GWLB and a GWLB endpoint in each AZ.
    The VPC CIDR for the firewall template should be larger than /23.
    Due to the many variations in a production environment that includes but isn’t limited to specific number components, such as subnets, availability zones, route tables, and security groups. Deploy the firewall-new-vpc-v3.0.template in a new VPC.
    The VM-Series auto scaling template for AWS does not deploy a transit gateway or Panorama. Deploy a transit gateway and Panorama before launching firewall-new-vpc-v3.0.template.
    Application template
    (Community supported template)
    Based on the number of availability zones (AZs) you choose, the panw-aws-app-v3.0.template deploys the following:
    The template supports a maximum of four AZs.
    • Subnets for Lambda, transit gateway attachments, GWLB endpoints, application load balancers.
    • Routes tables for each subnet, as well as an inbound route table associated with the internet gateway to direct inbound traffic to the GWLB endpoint.
    • One application load balancer
    • One internet gateway
    • An auto scaling group with one Ubuntu instance per AZ.
    The VPC CIDR for the application template should be larger than /23.
    The application template is intended to be used as an example for validating the security template.
    Lambda functions
    AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In addition to deploying the components described in the rows above, the firewall-new-vpc-v3.0.template performs the following functions:
    • Adds or removes an interface (ENI) when a firewall is launched or terminated.
    • Deletes all the associated resources when you delete a stack or terminate an instance.
    • Removes a firewall as a Panorama managed device when there is a scale-in event.
    • Deactivates the license when a scale-in event results in a firewall termination.
    • Monitors the transit gateway periodically for new attachments or detachments, and updates the route tables accordingly in the security VPC.
    Bootstrap files
    The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
    This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
    • The init-cfg.txt file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). This auto scaling solution requires the swapping of the dataplane and management interfaces to enable the GWLB to forward web traffic to the auto scaling tier of VM-Series firewalls.
    • The bootstrap.xml file enables basic connectivity for the firewall network interfaces and allows the firewall to connect to the AWS CloudWatch namespace that matches the stack name you enter when you launch the template.
    If you need to delete these templates from AWS, always delete the application template first. Attempting to delete the firewall template causes the deletion to fail.

    © 2026 Palo Alto Networks, Inc. All rights reserved.