EC2 instance types
The EC2 instance type you select must meet the VM-Series System Requirements for the VM-Series firewall model. If you deploy the VM-Series firewall on an EC2 instance type that does not meet these requirements, the firewall will boot into maintenance mode
To support VM Monitoring and high availability on AWS, the VM-Series firewall must be able to directly reach the AWS API service endpoints without any proxy servers between the firewall management interface and the AWS API endpoints (such as ec2.us-west-2.amazonaws.com).
Amazon Elastic Block Storage (EBS)
The VM-Series firewall must use the Amazon Elastic Block Storage (EBS) volume for storage. EBS optimization provides an optimized configuration stack and additional, dedicated capacity for Amazon EBS I/O.
Because the AWS only supports Layer 3 networking capabilities, the VM-Series firewall can only be deployed with Layer 3 interfaces. Layer 2 interfaces, virtual wire, VLANs, and subinterfaces are not supported on the VM-Series firewall deployed in the AWS VPC.
Support for a total of eight interfaces is available—one management interface and a maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM-Series firewall does not support hot attachment of ENIs; to detect the addition or removal of an ENI you must reboot the firewall.
Your EC2 instance type selection determines the total number of ENIs you can enable. For example, the c3.8xlarge supports eight (8) ENIs.
Support entitlement and Licenses
For the Bring Your Own License model, a support account and a valid VM-Series license are required to obtain the Amazon Machine Image (AMI) file, which is required to install the VM-Series firewall in the AWS VPC. The licenses required for the VM-Series firewall—capacity license, support license, and subscriptions for Threat Prevention, URL Filtering, WildFire, etc—must be purchased from Palo Alto Networks. To purchase the licenses for your deployment, contact your sales representative. See VM-Series Firewall in Amazon Web Services (AWS) and Azure Licenses.
For the usage-based licensing model, hourly and annual pricing bundles can be purchased and billed directly to AWS. You must however, register your support entitlement with Palo Alto Networks. For details see, Register the Usage-Based Model of the VM-Series Firewall in AWS and Azure (no auth code).