Auto Scale VM-Series Firewalls with the Amazon ELB Service

Palo Alto Networks delivers the VM-Series Auto Scale templates to enable auto scaling VM-Series next generation firewalls in AWS, protecting applications deployed on AWS.
The templates leverage AWS scalability features to independently scale the VM-Series firewalls to meet surges in application workload resource demand.
  • VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1).
  • AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS:
  • Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application auto scaling groups in a single VPC or multiple VPCs.
    In version 2.0, Palo Alto Networks supports the firewall template, and the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details.
  • Version 2.1 also supports deployment in a single VPC, and adds support for a load balancer sandwich topology that enables deploying the firewalls into a front end VPC, and the back end applications into one or more application VPCs connected by VPC peering or AWS PrivateLink.
    Version 2.1 can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. It supplies two firewall templates and five application templates. See VM-Series Auto Scale Templates for AWS Version 2.1 for deployment details.
If you have an existing template deployment, there is no migration procedure.
The following table compares some high-level features of each template version.
Features / Requirements
Version 2.0
Version 2.1
Panorama Version 9.0.1 in Panorama mode
Panorama in HA is not supported.
Optional
. If you choose to use Panorama you must configure VPC peering between the VM-Series firewall VPC and the application VPCs. Peered traffic traverses the public internet.
Required
to deploy the Version 2.1 templates.
Bootstrapping
bootstrap.xml
config file in an S3 bucket.
An
init-cfg.txt
file for Panorama.
Palo Alto Networks S3 bucket sample
Use your own S3 bucket or use the sample in panw-aws-autoscale-v20-us-west-2.
Use your own S3 bucket for the deployment.
Single VPC or separate VPCs (hub and spoke)
Yes
Yes
New VPC
Yes
Yes
Existing VPC (brown field)
No
Yes
Availability zones per VPC
2
2-4
External load balancer
ALB only
ALB or NLB
Internal load balancer
NLB only
ALB or NLB
AWS Private Link connection to the VM-Series firewall VPC and the backend servers.
No
Yes
For details on the templates see:

Recommended For You