1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall in AWS
    5. Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
    Previous
    Next
    In a dynamic environment such as the AWS-VPC where you launch new EC2 instances on demand, the administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in security policy allows for agility and prevents disruption in services or gaps in protection.
    In this example, we illustrate how you can monitor the VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group.
    This workflow in the following section assumes that you have created the AWS VPC and deployed the VM-Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM-Series, see Use Case: Secure the EC2 Instances in the AWS Cloud.
    Use Dynamic Address Groups in Policy
    Configure the firewall to monitor the VPC. Select Device > VM Information Sources. Click Add and enter the following information: A Name to identify the VPC that you want to monitor. For example, VPC-CloudDC. Set the Type to AWS VPC. In Source, enter the URI for the VPC. The syntax is ec2.<your_region>.amazonaws.com Add the credentials required for the firewall to digitally sign API calls made to the AWS services. You need the following: Access Key ID: Enter the alphanumeric text string that uniquely identifies the user who owns or is authorized to access the AWS account. Secret Access Key: Enter the password and confirm your entry. (Optional) Modify the Update interval to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
    Enter the VPC ID that is displayed on the VPC Dashboard in the AWS management console. Click OK, and Commit the changes. Verify that the connection Status displays as connected
    Tag the EC2 instances in the VPC. For a list of tags that the VM-Series firewall can monitor, see List of Attributes Monitored on the AWS VPC. A tag is a name-value pair. You can tag the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI. In this example, we use the EC2 Dashboard to add the tag:
    Create a dynamic address group on the firewall. View the tutorial to see a big picture view of the feature. Select Object > Address Groups. Click Add and enter a Name and a Description for the address group. Select Type as Dynamic. Define the match criteria. Click Add Match Criteria, and select the And operator. Select the attributes to filter for or match against. In this example, we select the ExternalAccessAllowed tag that you just created and the subnet ID for the private subnet of the VPC.
    Click OK. Click Commit.
    Use the dynamic address group in a security policy. To create a rule to allow internet access to any web server that belongs to the dynamic address group called ExternalServerAccess. Select Policies > Security. Click Add and enter a Name for the rule and verify that the Rule Type is universal. In the Source tab, add trust as the Source Zone. In the Source Address section of the Source tab, Add the ExternalServerAccess group you just created. In the Destination tab, add untrust as the Destination Zone. In the Service/URL Category tab, verify that the service is set to application-default. In the Actions tab, set the Action to Allow. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti-spyware, and vulnerability protection. Click OK.
    Click Commit.
    Verify that members of the dynamic address group are populated on the firewall. Policy will be enforced for all IP addresses that belong to this address group, and are displayed here Select Policies > Security, and select the rule. Select the drop-down arrow next to the address group link, and select Inspect. You can also verify that the match criteria is accurate. Click the more link and verify that the list of registered IP addresses is displayed.
    Previous
    Next

    Related Documentation

    Use Case: Secure the EC2 Instances in the AWS Cloud

    Use Case: Secure the EC2 Instances in the AWS Cloud In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: ...

    Launch the VM-Series Firewall in AWS

    Launch the VM-Series Firewall in AWS If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your ...

    Set Up the VM-Series Firewall in AWS

    Set Up the VM-Series Firewall in AWS The VM-Series firewall can be deployed in the public Amazon Web Services (AWS) cloud and AWS GovCloud. It ...

    Deployments Supported in AWS

    Deployments Supported in AWS The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud ( VPC ...

    Device > VM Information Sources

    Device > VM Information Sources Use this tab to proactively track changes on the Virtual Machines (VMs) deployed on any of these sources—VMware ESXi server, ...

    AWS Terminology

    AWS Terminology This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order to provide context for the ...

    Support for ELB on the VM-Series Firewalls in AWS

    Support for ELB on the VM-Series Firewalls in AWS Elastic Load Balancing (ELB) is an Amazon web service that helps you improve the availability and ...

    Use Dynamic Address Groups in Policy

    Use Dynamic Address Groups in Policy Dynamic address groups are used in policy. They allow you to create policy that automatically adapts to changes—adds, moves, ...

    Set Up the VPC

    Set Up the VPC Setting up the VPC requires you to—at a minimum—create the VPC, add the subnets, create the security groups, deploy EC2 instances, ...

    Launch the the VM-Series Auto Scaling Template for AWS

    Launch the the VM-Series Auto Scaling Template for AWS Pick the workflow for the CFT version you are deploying. Launch the VM-Series Auto Scaling Template ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo