What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

cft_components.png
The VM-Series Auto Scaling template for AWS includes the following building blocks:
Building Block
Description
Firewall template
(Palo Alto Networks officially supported template)
The firewall-v2.0.template deploys a new VPC with two Availability Zones (AZs), subnets, route tables, and security groups required for routing traffic across these AZs, and an AWS NAT gateway. It also deploys an external application load balancer, and an Auto Scaling Group (ASG) with a VM-Series firewall in each AZ.
Due to the many variations in a production environment including but not limited to the number of subnets, availability zones, route tables, security groups etc., you must deploy the firewall-v2.0.template in a new VPC.
VM-Series Auto Scaling template for AWS does not deploy Panorama, and Panorama is optional. Panorama provides ease of policy management and central visibility. If you want to use Panorama to manage the VM-Series firewalls that the solution deploys, you can either use an M-Series appliance or Panorama virtual appliance inside your corporate network, or a Panorama virtual appliance on AWS.
This solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
Application template
(Community supported template)
The application template deploys a network load balancer and an ASG with a web server in each AZ. Because the network load balancer has a unique IP address per AZ, and the NAT policy rule on the firewalls must reference a single IP address, there is one ASG for each of the two AZs. All the firewalls in an ASG have identical configuration.
This version of the auto scaling solution includes two application templates:
  • The panw_aws_nlb-v2.0.template allows you to deploy the application template resources within same VPC as the one in which you deployed the firewall template (same AWS account).
  • The panw_aws_nlb_vpcv-2.0.template allows you to deploy the application template resources in a separate VPC. This template supports both single and cross AWS account deployments.
Lambda functions
AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In the firewall-v2.0.template, AWS Lambda monitors a Simple Queue Service (SQS) to learn about network load balancers that publish to the queue. When the lambda function detects a new network load balancer, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application, and the firewalls use the NAT policy rule (that maps the port to network load balancer IP address) to forward traffic to the network load balancer in front of the application web servers.
You need to create the Security policy rule to allow or deny application traffic for your deployment. The sample bootstrap.xml file does not include any Security policy rules. Using Panorama to centrally manage the firewalls simplifies the process of creating Security policy rules.
The Lambda functions also add or remove elastic network interfaces (ENIs) when the firewall is launched or terminated, delete all the associated resources when an instance is terminated or the stack is deleted, remove the firewall as a managed device on Panorama, and deactivate the BYOL license when a firewall is terminated on a scale in event.
To learn more about the lambda functions, refer to http://paloaltonetworks-aws-autoscale-2-0.readthedocs.io/en/latest/
Bootstrap files
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
  • The init-cfg.txt file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). This auto-scaling solution requires the swapping of the dataplane and management interfaces to enable the application load balancer to forward web traffic to the auto-scaling tier of VM-Series firewalls. For details see Management Interface Mapping for Use with Amazon ELB.
  • The bootstrap.xml file enables basic connectivity for the firewall network interfaces and allows the firewall to connect to AWS CloudWatch namespace that matches the stack name you enter when launching the template.

Related Documentation