Auto Scale VM-Series Firewalls with the Amazon ELB Service
Palo Alto Networks delivers the VM-Series Auto Scale templates to enable auto scaling VM-Series next generation firewalls in AWS, protecting applications deployed on AWS.
The templates leverage AWS scalability features to independently scale the VM-Series firewalls to meet surges in application workload resource demand.
- VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1).
- AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS:
- Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application auto scaling groups in a single VPC or multiple VPCs.In version 2.0, Palo Alto Networks supports the firewall template, and the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details.
- Version 2.1 also supports deployment in a single VPC, and adds support for a load balancer sandwich topology that enables deploying the firewalls into a front end VPC, and the back end applications into one or more application VPCs connected by VPC peering or AWS PrivateLink.Version 2.1 can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. It supplies two firewall templates and five application templates. See VM-Series Auto Scale Templates for AWS Version 2.1 for deployment details.
If you have an existing template deployment, there is no migration procedure.
The following table compares some high-level features of each template version.
|Features / Requirements||Version 2.0||Version 2.1|
Panorama Version 9.0.1 in Panorama mode
Panorama in HA is not supported.
Optional. If you choose to use Panorama you must configure VPC peering between the VM-Series firewall VPC and the application VPCs. Peered traffic traverses the public internet.
Required to deploy the Version 2.1 templates.
|Bootstrapping||bootstrap.xml config file in an S3 bucket.||An init-cfg.txt file for Panorama.|
|Palo Alto Networks S3 bucket sample||Use your own S3 bucket or use the sample in panw-aws-autoscale-v20-us-west-2.||Use your own S3 bucket for the deployment.|
|Single VPC or separate VPCs (hub and spoke)||Yes||Yes|
|Existing VPC (brown field)||No||Yes|
|Availability zones per VPC||2||2-4|
|External load balancer||ALB only||ALB or NLB|
|Internal load balancer||NLB only||ALB or NLB|
|AWS Private Link connection to the VM-Series firewall VPC and the backend servers.||No||Yes|
For details on the templates see:
VM-Series Auto Scale Template for AWS Version 2.0
Learn about the VM-Series Auto Scale Template for AWS Version 2.0. ...
Customize the Firewall Template Before Launch (v2.0 and v2.1)
Lists the settings you can modify before you launch the template ...
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) The items in this checklist are actions and choices you must make for implementing ...
What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage? The VM-Series Auto Scaling template for AWS includes the following building blocks: Building ...
VM-Series Firewall for OpenStack
VM-Series Deployments in OpenStack The Heat Orchestration templates provided by Palo Alto Networks allow you to deploy the VM-Series firewall individually, through service chaining, or ...
Launch the VM-Series Auto Scaling Template for AWS (v2.0)
Launch the VM-Series Auto Scaling Template for AWS (v2.0) You can choose to deploy the firewall template in one VPC and the sample application template ...
How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale out of firewalls within the ASG. ...
Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
Stack Update with VM-Series Auto Scaling Template for AWS (v2.0) A stack update allows you to modify the resources that the VM-Series Auto Scaling template—firewall-v2.0.template—deploys. ...