End-of-Life (EoL)

Stack Update with VM-Series Auto Scaling Template for AWS (v1.2)

A stack update allows you to modify the resources that the VM-Series Auto Scaling template deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters:
  • PAN-OS version—Deploy new VM-Series firewalls with a different PAN-OS version.
  • License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another.
  • Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall.
When you deploy the VM-Series Auto Scaling template, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To modify these parameters, you must update the stack and then replace the existing auto scaling group with a new auto scaling group that uses the updated stack parameters to create the launch configuration and deploy new instances with these new parameters; existing instances continue to run with the configuration that they were originally launched with. This phased rollout allows you to verify the updates in one AZ at a time and then complete the changes across the other AZs without disruption. For critical applications, perform a stack update during a maintenance window.
You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update.
  1. In the AWS CloudFormation console, select the parent stack that you want to update and choose
    Actions
    Update Stack
    .
    cft_12_update_stack.png
  2. Modify the resources that you want to update.
    • PAN-OS version—To modify the PAN-OS version look up the AMI ID for the version you want to use and enter the ID. If you are upgrading to PAN-OS 8.0 make sure to select an instance type that meets the VM-Series System Requirements.
    • License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2.
    If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See steps 3 and 5).
    If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM-Series firewall.
    • Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall.
    If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you need to follow the workflow in Modify Administrative Account and Update Stack.
  3. Acknowledge the notifications and review the changes and click
    Update
    to initiate the stack update.
    cft_12_update_stack_progress.png
  4. On the
    EC2 dashboard
    Auto Scaling Groups
    and pick an AZ in which to delete the ASG.
    Deleting an ASG allows you to replace the existing ASGs (one at a time) with a new ASG that uses the new parameters.
    cft_12_delete_asg.png
  5. Delete the launch configuration.
    cft_12_delete_launch_config.png
  6. Verify that the updated parameters are used to launch the VM-Series firewalls in the new ASG.
    Test the new ASG thoroughly and ensure it is properly handling traffic. As a best practice, wait one hour before continuing to the next ASG.
    cft_12_update_stack_verify.png
  7. Repeat steps 4 through 6 to replace the ASGs in the remaining AZs.

Recommended For You