The VM-Series firewalls scale in and scale out based on PAN-OS metrics and on application traffic.
PAN-OS metric-based scaling
—The VM-Series firewalls scale based on custom PAN-OS metrics that trigger alarms and policies to dynamically deploy or terminate instances to increase or decrease capacity in the VM-Series firewall ASG. To monitor traffic load on the VM-Series firewalls, you can configure alarms based on the following custom PAN-OS metrics—the number of active sessions on the firewall, dataplane CPU utilization, or dataplane buffer utilization. The CFT uses an AWS Lambda function to publish the metrics to AWS CloudWatch at a one-minute frequency. When a metric that is being monitored reaches a configured threshold for the defined time interval, CloudWatch triggers an alarm and initiates an auto-scaling event.
Application traffic-based scaling
—The VM-Series firewalls scale based on the internal ELB, which scales in response to the demands of the application traffic in the web server ASG. There is a 1:1 ratio between the number of internal ELB Virtual IP addresses and the number of ASGs for the VM-Series firewalls. So, when the Lambda function in the CFT detects the addition or the deletion of an internal ELB VIP address, an ASG for the VM-Series firewall is added or deleted in response to the change. And the IP address of the firewall is added or removed from the external ELB pool so that the external ELB can distribute traffic across all the available firewalls in the ASG.
The VM-Series firewalls within an ASG are identical in configuration. Each firewall is bootstrapped and configured with a NAT policy rule that directs all traffic to the IP address of the internal ELB.
Similarly, when traffic volume is reduced and an internal ELB VIP address is deleted, the Lambda function deletes the ASG and the VM-Series firewalls associated with the ASG. The IP address of the firewall is also removed from the external ELB pool.