What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
The VM-Series Auto Scaling template for AWS includes the following building blocks:
(Palo Alto Networks officially supported template)
The firewall-v2.0.template deploys a new VPC with two Availability Zones (AZs), subnets, route tables, and security groups required for routing traffic across these AZs, and an AWS NAT gateway. It also deploys an external application load balancer, and an Auto Scaling Group (ASG) with a VM-Series firewall in each AZ.
Due to the many variations in a production environment including but not limited to the number of subnets, availability zones, route tables, security groups etc., you must deploy the firewall-v2.0.template in a new VPC.
VM-Series Auto Scaling template for AWS does not deploy Panorama, and Panorama is optional. Panorama provides ease of policy management and central visibility. If you want to use Panorama to manage the VM-Series firewalls that the solution deploys, you can either use an M-Series appliance or Panorama virtual appliance inside your corporate network, or a Panorama virtual appliance on AWS.
This solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
(Community supported template)
The application template deploys a network load balancer and an ASG with a web server in each AZ. Because the network load balancer has a unique IP address per AZ, and the NAT policy rule on the firewalls must reference a single IP address, there is one ASG for each of the two AZs. All the firewalls in an ASG have identical configuration.
This version of the auto scaling solution includes two application templates:
AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In the firewall-v2.0.template, AWS Lambda monitors a Simple Queue Service (SQS) to learn about network load balancers that publish to the queue. When the lambda function detects a new network load balancer, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application, and the firewalls use the NAT policy rule (that maps the port to network load balancer IP address) to forward traffic to the network load balancer in front of the application web servers.
You need to create the Security policy rule to allow or deny application traffic for your deployment. The sample bootstrap.xml file does not include any Security policy rules. Using Panorama to centrally manage the firewalls simplifies the process of creating Security policy rules.
The Lambda functions also add or remove elastic network interfaces (ENIs) when the firewall is launched or terminated, delete all the associated resources when an instance is terminated or the stack is deleted, remove the firewall as a managed device on Panorama, and deactivate the BYOL license when a firewall is terminated on a scale in event.
To learn more about the lambda functions, refer to http://paloaltonetworks-aws-autoscale-2-0.readthedocs.io/en/latest/
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
To deploy the solution, see Launch the VM-Series Auto Scaling Template for AWS (v2.0).
VM-Series Auto Scale Template for AWS Version 2.0
Learn about the VM-Series Auto Scale Template for AWS Version 2.0. ...
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) The items in this checklist are actions and choices you must make for implementing ...
Launch the VM-Series Auto Scaling Template for AWS (v2.0)
Launch the VM-Series Auto Scaling Template for AWS (v2.0) You can choose to deploy the firewall template in one VPC and the sample application template ...
How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale out of firewalls within the ASG. ...
Auto Scale VM-Series Firewalls with the Amazon ELB Service
Auto Scale VM-Series Firewalls with the Amazon ELB Service Palo Alto Networks delivers the Auto Scaling VM-Series Firewalls CloudFormation Templates and scripts for deploying an ...
SQS Messaging Between the Application Template and Firewall Template (v2.0)
Post a message to the SQS URL to enable the lambda function in the firewall template to learn about a new network load balancer. ...
Customize the Bootstrap.xml File (v2.0)
Customize the Bootstrap.xml File (v2.0) The bootstrap.xml file provided in the GitHub repository uses a default username and password for the firewall administrator. Before deploying ...
Create a new Bootstrap File from Scratch
Create a new Bootstrap File from Scratch Launch a new VM-Series firewall on AWS using the AMI for the PAN-OS version (8.0 or 8.1), without ...
Customize the Firewall Template Before Launch (v2.0 and v2.1)
Lists the settings you can modify before you launch the template ...