Complete the following procedure to launch
the application template.
Create an S3 bucket from which you will launch
the application template.
If this is a cross-account deployment, create a
new bucket.
If there is one account you can create a new bucket or use
the S3 bucket you created earlier (you can use one bucket for everything).
Upload the app.zip file into the S3 bucket.
Select the application launch template you want you launch.
In the AWS Management Console, select
CloudFormation
CreateStack
Select Upload a template to Amazon S3, to choose the
application template to deploy the resources that the template launches
within the same VPC as the firewalls, or to a different VPC. Click
Open
and
Next
.
Specify the Stack name. The stack name allows you
to uniquely identify all the resources that are deployed using this
template.
Select the Availability Zones (AZ) that your setup will
span in Select list of AZ.
Enter a descriptive
VPC Name
.
Configure the parameters for Lambda.
Enter the S3 bucket name where app.zip is
stored.
Enter the name of the zip file name.
Select the EC2 instance type for the Ubuntu web server
launched by this template.
Enter your Amazon EC2 key pair.
Enter the name of the service configuration (Service
Name) for the GWLB endpoint in the security VPC.
Select
DynamoDB
from
the
Services
drop-down in the AWS console.
Select
Tables
and locate your
security VPC table. The table name will be <stack name>-gwlb-<region>.
For example—cft-deployment-gwlb-us-east-1.
Click the Items tab and copy the Service Name.
Paste the Service Name into the application template
configuration parameters.
Enter the transit gateway ID. This is the same transit
gateway you created before deploying the firewall template.
Review the template settings and launch the template.
After the application has been deployed, you must add
a route to the transit gateway route table to enable east-west and
outbound traffic inspection.
Log in to the AWS VPC console.
Select
Transit Gateway Route Tables
and
choose your transit gateway route table. This route table is created
by the template and is called
<app-stack-name>-<region>-PANWAppAttRt
.
Select
Routes
and click
Create
static route
.
Enter 0.0.0.0/0 in the
CIDR
field.
From the
Choose attachment
drop-down,
select the VM-Series firewall VPC attachment.
Click
Create static route
.
(
Optional
) Create a bastion host (also called
a jump box) to access the web server created by the application
template.
Create a public-facing subnet in your application
VPC.
Add a route to this subnet from your IP address to
the internet gateway.
Create a new EC2 instance in the public subnet with
a public IP address.
Create a security group for this EC2 instance that
allows SSH from your IP address.