1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on AWS
    5. VM-Series Integration with an AWS Gateway Load Balancer
    6. VM-Series Auto Scaling Group with AWS Gateway Load Balancer

    VM-Series Auto Scaling Group with AWS Gateway Load Balancer

    The Palo Alto Networks auto scaling template for AWS help you integrate and configure the VM-Series firewall with a GWLB to protect applications deployed in AWS. The template leverage AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in application workload resource demand.
    These templates are
    community supported
    .
    agw-security-template-resources.png
    This solution provides a security VPC template and an application template. The security VPC template deploys the VM-Series firewall auto scaling group, a GWLB, a GWLBE, GWLBE subnet, security attachment subnet, and a NAT gateway for each availability zone. Download the CloudFormation templates from the Palo Alto Networks GitHub Repository.
    The VM-Series Auto Scaling template for integration with an AWS GWLB includes the following building blocks:
    All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
    Building Block
    Description
    PAN Components
    • Panorama running 10.0.2 or later
    • PAN-OS 10.0.2 or later
    • VM-Series plugin 2.0.2 or later installed on Panorama
    Firewall template
    (Community supported template)
    Based on the number of availability zones (AZs) you choose, the
    firewall-new-vpc-v3.0.template
     deploys the following:
    • Subnets for Lambda management, transit gateway attachments, GWLB endpoints, and NAT gateways, as well as trust subnets.
    • Routes tables for each subnet
    • Transit gateway attachments and route tables
    • NAT and internet gateways
    • An auto scaling group with one VM-Series firewall per AZ.
    • One GWLB and a GWLB endpoint in each AZ.
    The VPC CIDR for the firewall template should be larger than /23.
    Due to the many variations in a production environment that includes but is not limited to a specific number components, such as subnets, availability zones, route tables, and security groups. You must deploy the
    firewall-new-vpc-v3.0.template
     in a new VPC.
    VM-Series Auto Scaling template for AWS does not deploy a transit gateway or Panorama. You must deploy a transit gateway and Panorama before launching firewall-new-vpc-v3.0.template.
    Application template
    (Community supported template)
    Based on the number of availability zones (AZs) you choose, the
    panw-aws-app-v3.0.template
     deploys the following:
    • Subnets for Lambda, transit gateway attachments, GWLB endpoints, application load balancers.
    • Routes tables for each subnet, as well as an inbound route table associated with the internet gateway to direct inbound traffic to the GWLB endpoint.
    • One application load balancer
    • One internet gateway
    • An auto scaling group with one Ubuntu instance per AZ.
    The VPC CIDR for the application template should be larger than /23.
    The application template is intended to be used as an example for validating the security template.
    Lambda functions
    AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In addition to deploying the components described in the rows above, the
    firewall-new-vpc-v3.0.template
     performs the following functions:
    • Adds or removes an interface (ENI) when a firewall is launched or terminated.
    • Deletes all the associated resources when you delete a stack or terminate an instance.
    • Removes a firewall as a Panorama managed device when there is a scale-in event.
    • Deactivates the license when a scale-in event results in a firewall termination.
    • Monitors the transit gateway periodically for new attachments or detachments, and updates the route tables accordingly in the security VPC.
    Bootstrap files
    The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
    This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
    • The
      init-cfg.txt
       file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). This auto-scaling solution requires the swapping of the dataplane and management interfaces to enable the GWLB to forward web traffic to the auto-scaling tier of VM-Series firewalls.
    • The
      bootstrap.xml
       file enables basic connectivity for the firewall network interfaces and allows the firewall to connect to the AWS CloudWatch namespace that matches the stack name you enter when you launch the template.
    If you need to delete these templates from AWS, always delete the application template first. Attempting to delete the firewall template causes the deletion to fail.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo