Requirement Details
EC2 instance types Deploy the VM-Series firewall on any of the following EC2 instance types: m4.xlarge m4.2xlarge m4.4xlarge m3.xlarge m3.2xlarge c4.xlarge c4.2xlarge c4.4xlarge c3.xlarge c3.2xlarge c3.4xlarge The minimum resource requirements for the VM-Series firewall are: vCPU: 2; Memory: 4GB; 5GB for the VM-1000-HV; Disk: 40GB. If you deploy the VM-Series firewall on an EC2 instance type that does not meet these requirements, the firewall will boot into maintenance mode. If you can select an instance type with more than 8 vCPUs for increased bandwidth (network performance), the VM-Series firewall will use a maximum of 8 vCPUs only. To support VM Monitoring and high availability in AWS, the VM-Series firewall must be able to directly reach the AWS API service endpoints without any proxy servers between the firewall management interface and the AWS API endpoints (such as ec2.us-west-2.amazonaws.com).
Amazon Elastic Block Storage (EBS) The VM-Series firewall must use the Amazon Elastic Block Storage (EBS) volume for storage. EBS optimization provides an optimized configuration stack and additional, dedicated capacity for Amazon EBS I/O.
Networking Because the AWS only supports Layer 3 networking capabilities, the VM-Series firewall can only be deployed with Layer 3 interfaces. Layer 2 interfaces, virtual wire, VLANs, and subinterfaces are not supported on the VM-Series firewall deployed in the AWS VPC.
Interfaces Support for a total of eight interfaces is available—one management interface and a maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM-Series firewall does not support hot attachment of ENIs; to detect the addition or removal of an ENI you must reboot the firewall. Your EC2 instance type selection determines the total number of ENIs you can enable. For example, the c3.8xlarge supports eight (8) ENIs.
Support entitlement and Licenses For the Bring Your Own License model, a support account and a valid VM-Series license are required to obtain the Amazon Machine Image ( AMI) file, which is required to install the VM-Series firewall in the AWS VPC. The licenses required for the VM-Series firewall—capacity license, support license, and subscriptions for Threat Prevention, URL Filtering, WildFire, etc—must be purchased from Palo Alto Networks. To purchase the licenses for your deployment, contact your sales representative. See VM-Series Firewall in Amazon Web Services (AWS) and Azure Licenses. For the usage-based licensing model, hourly and annual pricing bundles can be purchased and billed directly to AWS. You must however, register your support entitlement with Palo Alto Networks. For details see, Register the Usage-Based Model of the VM-Series Firewall in AWS and Azure (no auth code).

Related Documentation