AMI on AWS GovCloud
The Bring Your Own License (BYOL) model of the VM-Series firewall is available as a shared AMI on AWS GovCloud.
With a GovCloud account you can find the AMI for the VM-Series firewall on the EC2 console (InstancesLaunch InstanceCommunity AMIs) using the AMI ID (ami-4add672b) or by searching for Palo Alto Networks. Alternatively, you can also use the link to directly launch the AMI in your GovCloud account. Make sure to review the supported EC2 instance types before you launch the firewall. For details, see Launch the VM-Series Firewall on AWS.
EC2 instance types
The EC2 instance type you select must meet the VM-Series System Requirements for the VM-Series firewall model. If you deploy the VM-Series firewall on an EC2 instance type that does not meet these requirements, the firewall will boot into maintenance mode
To support VM Monitoring and high availability on AWS, the VM-Series firewall must be able to directly reach the AWS API service endpoints without any proxy servers between the firewall management interface and the AWS API endpoints (such as ec2.us-west-2.amazonaws.com).
Amazon Elastic Block Storage (EBS)
The VM-Series firewall must use the Amazon Elastic Block Storage (EBS) volume for storage. EBS optimization provides an optimized configuration stack and additional, dedicated capacity for Amazon EBS I/O.
Because the AWS only supports Layer 3 networking capabilities, the VM-Series firewall can only be deployed with Layer 3 interfaces. Layer 2 interfaces, virtual wire, VLANs, and subinterfaces are not supported on the VM-Series firewall deployed in the AWS VPC.
Support for a total of eight interfaces is available—one management interface and a maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM-Series firewall does not support hot attachment of ENIs; to detect the addition or removal of an ENI you must reboot the firewall.
Your EC2 instance type selection determines the total number of ENIs you can enable. For example, the c3.8xlarge supports eight (8) ENIs.
Support entitlement and Licenses
For the Bring Your Own License model, a support account and a valid VM-Series license are required to obtain the Amazon Machine Image (AMI) file, which is required to install the VM-Series firewall in the AWS VPC. The licenses required for the VM-Series firewall—capacity license, support license, and subscriptions for Threat Prevention, URL Filtering, WildFire, etc—must be purchased from Palo Alto Networks. To purchase the licenses for your deployment, contact your sales representative. See VM-Series Firewall in Amazon Web Services (AWS) and Azure Licenses.
For the usage-based licensing model, hourly and annual pricing bundles can be purchased and billed directly to AWS. You must however, register your support entitlement with Palo Alto Networks. For details see, Register the Usage-Based Model of the VM-Series Firewall in AWS and Azure (no auth code).
VM-Series Firewall on AWS China
VM-Series Firewall on AWS China The VM-Series firewall is available as a shared AMI with the BYOL option on AWS China (Beijing) region. You must ...
About the VM-Series Firewall on AWS
About the VM-Series Firewall on AWS The Amazon Web Service (AWS) is a public cloud service that enables you to run your applications on a ...
AWS Terminology This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order to provide context for the ...
VM-Series Firewall on AWS GovCloud
VM-Series Firewall on AWS GovCloud AWS GovCloud is an isolated AWS region that meets the regulatory and compliance requirements of the US government agencies and ...
Deploy the VM-Series Firewall on AWS
Deploy the VM-Series Firewall on AWS Obtain the AMI Planning Worksheet for the VM-Series in the AWS VPC Launch the VM-Series Firewall on AWS Use ...
Launch the VM-Series Firewall on AWS
Launch the VM-Series Firewall on AWS If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your ...
Troubleshoot the VM-Series Auto Scaling Template for AWS
Troubleshoot the VM-Series Auto Scaling Template for AWS When deploying a VM-Series Auto Scaling template version 1.2 or 1.1, if the template stack is unable ...
Management Interface Mapping for Use with Amazon ELB Servic...
Management Interface Mapping for Use with Amazon ELB By default, the elastic network interface (ENI) eth0 maps to the MGT interface on the firewall and ...
AMI in the Public AWS Cloud
AMI in the Public AWS Cloud The AMI for the VM-Series firewall is available in the AWS Marketplace for both the Bring Your Own License ...