VM-Series Integration with an AWS Gateway Load Balancer

Learn more about the VM-Series firewall integration with the AWS Gateway Load Balancer.
The AWS Gateway Load Balancer (GWLB) is an AWS managed service that allows you to deploy a stack of VM-Series firewalls and operate in a horizontally scalable and fault-tolerant manner. You can then expose the AWS GWLB with the stack of firewalls as a VPC endpoint service for traffic inspection and threat prevention. By creating Gateway Load Balancer endpoints (GWLBE) for the VPC endpoint service, you can easily insert an auto-scaling VM-Series firewall stack in the outbound, east-west, and inbound traffic paths of your applications. VM-Series firewalls and the GWLB use the GENEVE encapsulation to keep your traffic packet headers and payload intact, providing complete visibility of the source’s identity to your applications.
The VM-Series firewall supports decryption when deployed behind a GWLB for forward and inbound use cases, including TLS1.2 and TLS1.3 utilizing DHE/ECDHE ciphers.
The image below describes how the integration of GWLB with VM-Series simplifies your AWS transit gateway (TGW) environments. You attach a centralized security VPC to your transit gateway. The centralized security VPC includes a GWLB to scale and load-balance traffic across the stack of VM-Series firewalls.
To ensure that the VM-Series firewall can inspect traffic that is routed between VPC attachments, you must enable appliance mode on the transit gateway VPC attachment for the security VPC containing the VM-Series firewall. This ensures that bidirectional traffic is routed symmetrically—both request and response traffic are directed to the same Gateway Endpoint in the firewall VPC and the GWLB will maintain persistence to the same VM-Series firewall for inspection before continuing to the correct destination.
When deployed with a GWLB, you can use the VM-Series firewall to protect:
  • Inbound traffic—traffic originating outside the VPC and destined to resources within your application VPC, such as web servers. VM-Series firewalls prevent malware and vulnerabilities from entering the network in traffic allowed by AWS security groups.
  • Outbound traffic—traffic originating within the application VPCs and destined to external resources on the Internet. The VM-Series firewalls protect outbound traffic flows by ensuring that workloads in application VPCs connect to permitted services (such as Windows Update) and allowed URL categories and preventing data exfiltration of sensitive information. Additionally, VM-Series security profiles prevent malware and vulnerabilities from entering the network in the return traffic.
  • East-West traffic—in a transit gateway environment, East-West traffic refers to Inter-VPC traffic, such as the traffic between source and destination workloads in two different application VPCs. The VM-Series firewalls protect east-west traffic flows against malware propagation.
To protect the inbound traffic to your application VPCs, create GWLBEs endpoints (GWLBE1 and GWLBE2 in the figure above) in your spoke VPCs. Next, add route rules in the spoke VPC’s Internet gateway and subnet route tables to route all inbound traffic to the VPC via the endpoints and through the firewalls. The GWLBEs redirect the inbound traffic to an application VPCs is redirected to the GWLB. The GWLB then route the traffic to one of its VM-Series targets. The firewall inspects the traffic and sends it back to the GWLBE and then onto the destination. The traffic enters and exits the VM-Series firewall via a single interface.
To protect the outbound traffic of the application VPCs, you create a GWLBE (GWLBE3 in the figure above) in the centralized firewall VPC. You can then use route rules in the application VPCs that direct all outbound traffic to the transit gateway (TGW). The TGW has a route table associated with the application VPC that redirects all outbound traffic to the centralized security VPC for inspection. After the firewall inspects the traffic and applies any applicable policy, the traffic is sent back to the GWLBE (GWLBE3) and then onto the transit gateway (TGW). The TGW route table associated with the security VPC then routes the traffic to the destination.
To protect the east-west traffic between the application VPCs, you use the same GWLBE endpoint (GWLBE3 in the figure above) in the centralized firewall VPC. You then use route rules in the application VPCs and transit gateways to redirect traffic to centralized security VPC for inspection.
You can integrate the VM-Series firewall with a GWLB manually, using CloudFormation templates (CFT), or Terraform templates. The templates are available in the Palo Alto Networks GitHub repository.

Recommended For You