Auto Scale VM-Series Firewalls with the Amazon ELB Service

Palo Alto Networks delivers the VM-Series Auto Scale templates to enable auto scaling VM-Series next generation firewalls in AWS, protecting applications deployed on AWS.
The templates leverage AWS scalability features to independently scale the VM-Series firewalls to meet surges in application workload resource demand.
  • VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1).
  • AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS:
  • Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application auto scaling groups in a single VPC or multiple VPCs.
    In version 2.0, Palo Alto Networks supports the firewall template, and the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details.
  • Version 2.1 also supports deployment in a single VPC, and adds support for a load balancer sandwich topology that enables deploying the firewalls into a front end VPC, and the back end applications into one or more application VPCs connected by VPC peering or AWS PrivateLink.
    Version 2.1 can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. It supplies two firewall templates and five application templates. See VM-Series Auto Scale Templates for AWS Version 2.1 for deployment details.
If you have an existing template deployment, there is no migration procedure.
The following table compares some high-level features of each template version.
Features / RequirementsVersion 2.0Version 2.1
Panorama Version 9.0.1 in Panorama mode
Panorama in HA is not supported.
Optional. If you choose to use Panorama you must configure VPC peering between the VM-Series firewall VPC and the application VPCs. Peered traffic traverses the public internet.
Required to deploy the Version 2.1 templates.
Bootstrappingbootstrap.xml config file in an S3 bucket.An init-cfg.txt file for Panorama.
Palo Alto Networks S3 bucket sampleUse your own S3 bucket or use the sample in panw-aws-autoscale-v20-us-west-2.Use your own S3 bucket for the deployment.
Single VPC or separate VPCs (hub and spoke)YesYes
New VPCYesYes
Existing VPC (brown field)NoYes
Availability zones per VPC22-4
External load balancer ALB onlyALB or NLB
Internal load balancer NLB onlyALB or NLB
AWS Private Link connection to the VM-Series firewall VPC and the backend servers.NoYes
For details on the templates see:

Related Documentation