Launch the Application Template

Learn how to launch the application templates.
Complete the following procedure to launch the application template.
  1. Create an S3 bucket from which you will launch the application template.
    • If this is a cross-account deployment, create a new bucket.
    • If there is one account you can create a new bucket or use the S3 bucket you created earlier (you can use one bucket for everything).
  2. Upload the app.zip file into the S3 bucket.
  3. Select the application launch template you want you launch.
    1. In the AWS Management Console, select
      CloudFormation
      CreateStack
    2. Select Upload a template to Amazon S3, to choose the application template to deploy the resources that the template launches within the same VPC as the firewalls, or to a different VPC. Click
      Open
      and
      Next
      .
    3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template.
  4. Select the Availability Zones (AZ) that your setup will span in Select list of AZ.
  5. Enter a descriptive
    VPC Name
    .
  6. Configure the parameters for Lambda.
    1. Enter the S3 bucket name where app.zip is stored.
    2. Enter the name of the zip file name.
  7. Select the EC2 instance type for the Ubuntu web server launched by this template.
  8. Enter your Amazon EC2 key pair.
  9. Enter the name of the service configuration (Service Name) for the GWLB endpoint in the security VPC.
    1. Select
      DynamoDB
      from the
      Services
      drop-down in the AWS console.
    2. Select
      Tables
      and locate your security VPC table.
    3. Click the Items tab and copy the Service Name.
    4. Paste the Service Name into the template configuration parameters.
  10. Enter the transit gateway ID. This is the same transit gateway you created before deploying the firewall template.
  11. Review the template settings and launch the template.
  12. After the application has been deployed, you must add a route to the transit gateway route table to enable east-west and outbound traffic inspection.
    1. Log in to the AWS VPC console.
    2. Select
      Transit Gateway Route Tables
      and choose your transit gateway route table. This route table is created by the template and is called
      <app-stack-name>-<region>-PANWAppAttRt
      .
    3. Select
      Routes
      and click
      Create static route
      .
    4. Enter 0.0.0.0/0 in the
      CIDR
      field.
    5. From the
      Choose attachment
      drop-down, select the VM-Series firewall VPC attachment.
    6. Click
      Create static route
      .
  13. (
    Optional
    ) Create a bastion host (also called a jump box) to access the web server created by the application template.
    1. Create a public-facing subnet in your application VPC.
    2. Add a route to this subnet from your IP address to the internet gateway.
    3. Create a new EC2 instance in the public subnet with a public IP address.
    4. Create a security group for this EC2 instance that allows SSH from your IP address.

Recommended For You