VM-Series Auto Scaling Group with AWS Gateway Load Balancer

The Palo Alto Networks auto scaling template for AWS help you integrate and configure the VM-Series firewall with a GWLB to protect applications deployed in AWS. The template leverage AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in application workload resource demand.
These templates are
community supported
This solution provides a security VPC template and an application template. The security VPC template deploys the VM-Series firewall auto scaling group, a GWLB, a GWLBE, GWLBE subnet, security attachment subnet, and a NAT gateway for each availability zone. Download the CloudFormation templates from the Palo Alto Networks GitHub Repository.
The VM-Series Auto Scaling template for integration with an AWS GWLB includes the following building blocks:
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
Building Block
PAN Components
  • Panorama running 10.0.2 or later
  • PAN-OS 10.0.2 or later
  • VM-Series plugin 2.0.2 or later installed on Panorama
Firewall template
(Community supported template)
Based on the number of availability zones (AZs) you choose, the
deploys the following:
  • Subnets for Lambda management, transit gateway attachments, GWLB endpoints, and NAT gateways, as well as trust subnets.
  • Routes tables for each subnet
  • Transit gateway attachments and route tables
  • NAT and internet gateways
  • An auto scaling group with one VM-Series firewall per AZ.
  • One GWLB and a GWLB endpoint in each AZ.
The VPC CIDR for the firewall template should be larger than /23.
Due to the many variations in a production environment that includes but is not limited to a specific number components, such as subnets, availability zones, route tables, and security groups. You must deploy the
in a new VPC.
VM-Series Auto Scaling template for AWS does not deploy a transit gateway or Panorama. You must deploy a transit gateway and Panorama before launching firewall-new-vpc-v3.0.template.
Application template
(Community supported template)
Based on the number of availability zones (AZs) you choose, the
deploys the following:
  • Subnets for Lambda, transit gateway attachments, GWLB endpoints, application load balancers.
  • Routes tables for each subnet, as well as an inbound route table associated with the internet gateway to direct inbound traffic to the GWLB endpoint.
  • One application load balancer
  • One internet gateway
  • An auto scaling group with one Ubuntu instance per AZ.
The VPC CIDR for the application template should be larger than /23.
The application template is intended to be used as an example for validating the security template.
Lambda functions
AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In addition to deploying the components described in the rows above, the
performs the following functions:
  • Adds or removes an interface (ENI) when a firewall is launched or terminated.
  • Deletes all the associated resources when you delete a stack or terminate an instance.
  • Removes a firewall as a Panorama managed device when there is a scale-in event.
  • Deactivates the license when a scale-in event results in a firewall termination.
  • Monitors the transit gateway periodically for new attachments or detachments, and updates the route tables accordingly in the security VPC.
Bootstrap files
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
  • The
    file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). This auto-scaling solution requires the swapping of the dataplane and management interfaces to enable the GWLB to forward web traffic to the auto-scaling tier of VM-Series firewalls.
  • The
    file enables basic connectivity for the firewall network interfaces and allows the firewall to connect to the AWS CloudWatch namespace that matches the stack name you enter when you launch the template.
If you need to delete these templates from AWS, always delete the application template first. Attempting to delete the firewall template causes the deletion to fail.

Recommended For You