Auto Scale VM-Series Firewalls with the Amazon ELB Service
Palo Alto Networks delivers the VM-Series Auto Scale templates to enable auto scaling VM-Series next generation firewalls in AWS, protecting applications deployed on AWS.
The templates leverage AWS scalability features to independently scale the VM-Series firewalls to meet surges in application workload resource demand.
- VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1).
- AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS:
- Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application auto scaling groups in a single VPC or multiple VPCs.In version 2.0, Palo Alto Networks supports the firewall template, and the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details.
- Version 2.1 also supports deployment in a single VPC, and adds support for a load balancer sandwich topology that enables deploying the firewalls into a front end VPC, and the back end applications into one or more application VPCs connected by VPC peering or AWS PrivateLink.Version 2.1 can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. It supplies two firewall templates and five application templates. See VM-Series Auto Scale Templates for AWS Version 2.1 for deployment details.
If you have an existing template deployment, there is no migration procedure.
The following table compares some high-level features of each template version.
Features / Requirements
Panorama Version 9.0.1 in Panorama mode
Panorama in HA is not supported.
Optional. If you choose to use Panorama you must configure VPC peering between the VM-Series firewall VPC and the application VPCs. Peered traffic traverses the public internet.
Requiredto deploy the Version 2.1 templates.
bootstrap.xmlconfig file in an S3 bucket.
init-cfg.txtfile for Panorama.
Palo Alto Networks S3 bucket sample
Use your own S3 bucket or use the sample in panw-aws-autoscale-v20-us-west-2.
Use your own S3 bucket for the deployment.
Single VPC or separate VPCs (hub and spoke)
Existing VPC (brown field)
Availability zones per VPC
External load balancer
ALB or NLB
Internal load balancer
ALB or NLB
AWS Private Link connection to the VM-Series firewall VPC and the backend servers.
For details on the templates see:
Recommended For You
Recommended videos not found.