This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order to provide context for the terms used in this section, here is a brief refresher on the AWS terms (some definitions are taken directly from the AWS glossary) that are referred to in this document:
Elastic Compute Cloud
A web service that enables you to launch and manage Linux/UNIX and Windows server instances in Amazon's datacenters.
Amazon Machine Image
An AMI provides the information required to launch an instance, which is a virtual server in the cloud.
The VM-Series AMI is an encrypted machine image that includes the operating system required to instantiate the VM-Series firewall on an EC2 instance.
Elastic Load Balancing
ELB is an Amazon web service that helps you improve the availability and scalability of your applications by routing traffic across multiple Elastic Compute Cloud (EC2) instances. ELB detects unhealthy EC2 instances and reroutes traffic to healthy instances until the unhealthy instances are restored. ELB can send traffic only to the primary interface of the next hop load-balanced EC2 instance. So, to use ELB with a VM-Series firewall on AWS, the firewall must be able to use the primary interface for dataplane traffic.
Elastic Network Interface
An additional network interface that can be attached to an EC2 instance. ENIs can include a primary private IP address, one or more secondary private IP addresses, a public IP address, an elastic IP address (optional), a MAC address, membership in specified security groups, a description, and a source/destination check flag.
IP address types for EC2 instances
An EC2 instance can have different types of IP addresses.
An instance in a public subnet can have a Private IP address, a Public IP address, and an Elastic IP address (EIP); an instance in a private subnet will have a private IP address and optionally have an EIP.
Amazon-defined specifications that stipulate the memory, CPU, storage capacity, and hourly cost for an instance. Some instance types are designed for standard applications, whereas others are designed for CPU-intensive, memory-intensive applications, and so on.
Virtual Private Cloud
An elastic network populated by infrastructure, platform, and application services that share common security and interconnection.
Internet gateway provided by Amazon.
Connects a network to the internet. You can route traffic for IP addresses outside your VPC to the internet gateway.
Identity and Access Management
Required for enabling High Availability for the VM-Series firewall on AWS. The IAM role defines the API actions and resources the application can use after assuming the role. On failover, the IAM Role allows the VM-Series firewall to securely make API requests to switch the dataplane interfaces from the active peer to the passive peer.
An IAM role is also required for VM Monitoring. See List of Attributes Monitored on the AWS VPC.
A segment of the IP address range of a VPC to which EC2 instances can be attached. EC2 instances are grouped into subnets based on your security and operational needs.
There are two types of subnets:
A security group is attached to an ENI and it specifies the list of protocols, ports, and IP address ranges that are allowed to establish inbound/outbound connections on the interface.
In the AWS VPC, security groups and network ACLs control inbound and outbound traffic; security groups regulate access to the EC2 instance, while network ACLs regulate access to the subnet. Because you are deploying the VM-Series firewall, set more permissive rules in your security groups and network ACLs and allow the firewall to safely enable applications in the VPC.
A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. A subnet can be associated with only one route table.
A set of security credentials you use to prove your identity electronically. The key pair consists of a private key and a public key. At time of launching the VM-Series firewall, you must generate a key pair or select an existing key pair for the VM-Series firewall. The private key is required to access the firewall in maintenance mode.
Amazon CloudWatch is a monitoring service that allows you to collect and track metrics for the VM-Series firewalls on AWS. When enabled, the firewalls use AWS APIs to publish native PAN-OS metrics to CloudWatch.
About the VM-Series Firewall on AWS
About the VM-Series Firewall on AWS The Amazon Web Service (AWS) is a public cloud service that enables you to run your applications on a ...
Launch the VM-Series Firewall on AWS
Launch the VM-Series Firewall on AWS If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your ...
Deployments Supported on AWS
Deployments Supported on AWS The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud ( VPC ...
Planning Worksheet for the VM-Series in the AWS VPC
Planning Worksheet for the VM-Series in the AWS VPC For ease of deployment, plan the subnets within the VPC and the EC2 instances that you ...
Set Up the VM-Series Firewall on AWS
Set Up the VM-Series Firewall on AWS The VM-Series firewall can be deployed in the public Amazon Web Services (AWS) cloud and AWS GovCloud. It ...
Install Panorama on AWS
How to deploy a Panorama™ virtual appliance and a virtual Dedicated Log Collector on Amazon Web Services. ...
Use Case: Secure the EC2 Instances in the AWS Cloud
Use Case: Secure the EC2 Instances in the AWS Cloud In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: ...
Panorama Virtual Appliance and Virtual Dedicated Log Collec...
How to deploy a Panorama™ virtual appliance and a virtual Dedicated Log Collector on Amazon® Web Services (AWS®). ...
Bootstrap the VM-Series Firewall in AWS
Bootstrap the VM-Series Firewall on AWS To perform bootstrapping, you must be familiar with AWS S3 and IAM permissions required for completing this process. For ...