Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
A stack update allows you to modify the resources that the VM-Series Auto Scaling template—firewall-v2.0.template—deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters:
- License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another.
- Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the AWS instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall.Changing the AMI-ID allows you to deploy new instances of the VM-Series firewalls with a different PAN-OS version.
When you deploy the VM-Series Auto Scaling template, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To launch VM-Series firewalls with your updated parameters, you must first update the stack and then delete the existing auto scaling groups in each AZ. To prevent service disruption, delete the auto scaling group in one AZ first, and wait for the new firewall instances to launch with the updated stack parameters. Then, verify that the firewalls have inherited the updates you made before you proceed to complete the changes in the other AZ.
For critical applications, perform a stack update during a maintenance window.
You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update.
- In the AWS CloudFormation console, select the parent stack that you want to update and choose ActionsUpdate Stack.
- Modify the resources that you want to update.
If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See steps 3 and 5).If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM-Series firewall.
- PAN-OS version—To modify the PAN-OS version look up the AMI ID for the version you want to use and enter the ID.
- License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2.
If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you need to follow the workflow in Modify Administrative Account and Update Stack.
- Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall.
- Acknowledge the notifications and review the changes and click Update to initiate the stack update.
- On the EC2 dashboardAuto Scaling Groups and
pick an AZ in which to delete the ASG.Deleting an ASG automatically triggers the process of redeploying a new ASG. The firewalls in the new ASG use the updated stack configuration.
that the updated parameters are used to launch the VM-Series firewalls in
the new ASG.Use a phased rollout process, where you test the new ASG thoroughly and ensure that the firealls are properly handling traffic. Then, wait one hour before continuing to the next ASG.
- Repeat steps 4 and 5 to replace the ASG in the other AZ.
VM-Series Auto Scale Template for AWS Version 2.0
Learn about the VM-Series Auto Scale Template for AWS Version 2.0. ...
Launch the VM-Series Auto Scaling Template for AWS (v2.0)
Launch the VM-Series Auto Scaling Template for AWS (v2.0) You can choose to deploy the firewall template in one VPC and the sample application template ...
Modify Administrative Account and Update Stack (v2.0)
Modify Administrative Account and Update Stack (v2.0) If you have already deployed the template and now want to change the password for the administrative account ...
Customize the Bootstrap.xml File (v2.0)
Customize the Bootstrap.xml File (v2.0) The bootstrap.xml file provided in the GitHub repository uses a default username and password for the firewall administrator. Before deploying ...
What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage? The VM-Series Auto Scaling template for AWS includes the following building blocks: Building ...
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) The items in this checklist are actions and choices you must make for implementing ...
How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale out of firewalls within the ASG. ...
Customize the Firewall Template Before Launch (v2.0 and v2.1)
Lists the settings you can modify before you launch the template ...