VM-Series Integration with an AWS Gateway Load Balancer
Learn more about the VM-Series firewall integration with
the AWS Gateway Load Balancer.
The AWS Gateway Load Balancer (GWLB)
is an AWS managed service that allows you to deploy a stack of VM-Series
firewalls and operate in a horizontally scalable and fault-tolerant
manner. You can then expose the AWS GWLB with the stack of firewalls
as a VPC endpoint service for traffic inspection and threat prevention.
By creating Gateway Load Balancer endpoints (GWLBE) for the VPC
endpoint service, you can easily insert an auto-scaling VM-Series
firewall stack in the outbound, east-west, and inbound traffic paths
of your applications. VM-Series firewalls and the GWLB use the GENEVE
encapsulation to keep your traffic packet headers and payload intact,
providing complete visibility of the source’s identity to your applications.
The VM-Series firewall supports decryption when
deployed behind a GWLB for forward and inbound use cases, including
TLS1.2 and TLS1.3 utilizing DHE/ECDHE ciphers.
The image below describes how the integration of GWLB with VM-Series simplifies
your AWS transit gateway (TGW) environments. You attach a centralized security VPC to
your transit gateway. The centralized security VPC includes a GWLB
to scale and load-balance traffic across the stack of VM-Series
firewalls.
To ensure that the VM-Series firewall can inspect traffic that
is routed between VPC attachments, you must enable appliance mode on the transit
gateway VPC attachment for the security VPC containing the VM-Series
firewall. This ensures that bidirectional traffic is routed symmetrically—both
request and response traffic are directed to the same Gateway Endpoint
in the firewall VPC and the GWLB will maintain persistence to the
same VM-Series firewall for inspection before continuing to the
correct destination.
When deployed with a GWLB, you can use the VM-Series firewall
to protect:
- Inbound traffic—traffic originating outside the VPC and destined to resources within your application VPC, such as web servers. VM-Series firewalls prevent malware and vulnerabilities from entering the network in traffic allowed by AWS security groups.
- Outbound traffic—traffic originating within the application VPCs and destined to external resources on the Internet. The VM-Series firewalls protect outbound traffic flows by ensuring that workloads in application VPCs connect to permitted services (such as Windows Update) and allowed URL categories and preventing data exfiltration of sensitive information. Additionally, VM-Series security profiles prevent malware and vulnerabilities from entering the network in the return traffic.
- East-West traffic—in a transit gateway environment, East-West traffic refers to Inter-VPC traffic, such as the traffic between source and destination workloads in two different application VPCs. The VM-Series firewalls protect east-west traffic flows against malware propagation.
To protect the inbound traffic to your application VPCs, create
GWLBEs endpoints (GWLBE1 and GWLBE2 in the figure above) in your
spoke VPCs. Next, add route rules in the
spoke VPC’s Internet gateway and subnet route tables to route all
inbound traffic to the VPC via the endpoints and through the firewalls.
The GWLBEs redirect the inbound traffic to an application VPCs is
redirected to the GWLB. The GWLB then route the traffic to one of
its VM-Series targets. The firewall inspects the traffic and sends
it back to the GWLBE and then onto the destination. The traffic
enters and exits the VM-Series firewall via a single interface.
To protect the outbound traffic of the application VPCs, you
create a GWLBE (GWLBE3 in the figure above) in the centralized firewall
VPC. You can then use route rules in the application VPCs that direct
all outbound traffic to the transit gateway (TGW). The TGW has a route table associated
with the application VPC that redirects all outbound traffic to
the centralized security VPC for inspection. After the firewall
inspects the traffic and applies any applicable policy, the traffic
is sent back to the GWLBE (GWLBE3) and then onto the transit gateway
(TGW). The TGW route table associated
with the security VPC then routes the traffic to the destination.
To protect the east-west traffic between the application VPCs,
you use the same GWLBE endpoint (GWLBE3 in the figure above) in
the centralized firewall VPC. You then use route rules in the application
VPCs and transit gateways to redirect traffic to centralized security
VPC for inspection.
You can integrate the VM-Series firewall with a GWLB manually,
using CloudFormation templates (CFT), or Terraform templates. The templates are available
in the Palo Alto Networks GitHub repository.
