How Does the VM-Series Auto Scaling Template for AWS (v2.0
and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale
out of firewalls within the ASG.
The VM-Series firewalls that are deployed using the
auto scaling templates version 2.0 and 2.1 scale
in and scale out based on custom PAN-OS metrics. The VM-Series firewalls
natively publish these metrics to the Amazon CloudWatch console,
and based on the metric(s) that you choose as the scaling parameter(s),
you can define CloudWatch alarms and policies to dynamically deploy
or terminate instances to handle the application traffic in your
The firewalls publish metrics to AWS CloudWatch at a five-minute
frequency (by default). When a metric that is being monitored reaches
the configured threshold for the defined time interval, CloudWatch triggers an
alarm and initiates an auto-scaling event.
When the auto-scaling event triggers the deployment of a new
firewall, the new instance bootstraps at launch and a lambda function
configures the firewall with NAT policy rules. A NAT policy rule
is created for each application, and the rule references the IP
addresses for each network load balancer in your deployment. When
the application load balancer receives a request, it forwards the
request to the firewall on the assigned TCP port. The firewall then
inspects the traffic and forwards it to the corresponding network
load balancer, which in turn forwards the request to a web server
in its target group.