The VM-Series Auto Scaling Template for AWS provides two deployment options. The first option offers the flexibility to deploy a complete AWS environment along with the auto scaling tier of VM-Series firewalls in one streamlined workflow. The second option allows you to deploy only the auto-scaling tier of VM-Series firewalls into your existing AWS deployment.
The CFT does not deploy Panorama, and Panorama is optional in this deployment. If you want use Panorama to manage the VM-Series firewalls that the CFT deploys, you can either use an M-Series appliance inside your corporate network, or a Panorama virtual appliance on a VMware ESXi server inside your corporate network or in vCloud Air; you cannot deploy Panorama on AWS.
The solution includes the following building blocks that make these options possible:
Building Block Description
VPC template The VPC templates automate the process of deploying a VPC with two or three Availability Zones (AZs). It deploys an external ELB, a web server farm and an internal ELB that load balances traffic to the web server farm. In addition to the subnets, route tables, and security groups required for routing traffic across these AZs, it also creates the Auto Scaling Group (ASG) for the web server farm and an AWS NAT gateway, if you opt for one. Depending on your preference for the internal ELB, you can choose from these two templates: vpc-classic-v<number>.template—Use this template if you want to use a classic ELB for load balancing traffic to the internal web server farm. vpc-alb-v<number>.template— Use this template, if you prefer an application ELB for load balancing traffic to the internal web server farm. Both templates, deploy the classic ELB for internet-facing traffic.
Firewall template The VPC template invokes the firewall.template to launch the VM-Series firewall. If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, and want to only deploy the VM-Series firewall at scale, you can use the firewall.template instead of the vpc.template. The firewall.template creates an initial ASG with a single VM-Series firewall to secure the web servers in each AZ, adds the ENIs for the trust and management interfaces, and triggers the bootstrap process including registration with Panorama. To enable auto scaling of the VM-Series firewalls, this template leverages PAN-OS metrics from the VM-Series firewall and publishes data on your preferred metric to AWS CloudWatch. You can select one of the following PAN-OS metrics—active sessions, dataplane CPU utilization, or dataplane CPU buffer utilization.
Lambda functions AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In this CFT, AWS Lambda monitors the custom PAN-OS metrics and the internal ELB to enable dynamic scaling of the VM-Series firewalls. The Lambda functions add or remove elastic network interfaces (ENIs) when the firewall is launched or terminated, collect and publish CloudWatch metrics so that you can define auto scaling policy using CloudWatch alarms, delete all the associated resources when an instance is terminated or the stack is deleted, and remove the firewall as a managed device on Panorama. The Lambda functions also monitor the VIP addresses on the internal ELB so that it can add or remove an ASG for the VM-Series firewall so that it can ensure a 1:1 ratio between the internal ELB VIP and the VM-Series firewalls ASG.
Bootstrap files The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File. This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic from the ELB. The init-cfg.txt file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). For details see Management Interface Mapping for Use with the AWS ELB. The bootstrap.xml file contains a NAT policy rule to properly route traffic in this auto scaling ELB environment. In order to perform NAT, the firewall requires a single IP address in the NAT policy rule, the firewall cannot use an FQDN or round-robin NAT to multiple IP addresses. But to enable auto scaling, the AWS ELB publishes an FQDN as a virtual IP address (VIP) rather that publishing an IP address. And as the internal ELB scales, the FQDN automatically resolves to multiple IP addresses (per AZ). The NAT policy rule included in the bootstrap. xml file resolved this conflict. The bootstrap.xml file references an address object within the NAT policy rule. When the firewall boots up, a Lambda function adds the IP address of the internal ELB in to the address object so that the NAT policy resolves to the correct IP address for the internal ELB, and can route traffic to and from the external ELB and the internal ELB in this solution.

Related Documentation