1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on AWS
    5. Deploy the VM-Series Firewall on AWS
    6. Planning Worksheet for the VM-Series in the AWS VPC
    End-of-Life (EoL)

    Planning Worksheet for the VM-Series in the AWS VPC

    For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within each subnet. Before you begin, use the following table to collate the network information required to deploy and insert the VM-Series firewall into the traffic flow in the VPC:
    Configuration Item
    Value
    VPC CIDR
    Security Groups
    Subnet (public) CIDR
    Subnet (private) CIDR
    Subnet (public) Route Table
    Subnet (private) Route Table
    Security Groups
    • Rules for Management Access to the firewall (eth0/0)
    • Rules for access to the dataplane interfaces of the firewall
    • Rules for access to the interfaces assigned to the application servers.
    VM-Series firewall behind ELB
    EC2 Instance 1 (VM-Series firewall)
    An EIP is only required for the dataplane interface that is attached to the public subnet.
    Subnet:
    Instance type:
    Mgmt interface IP:
    Mgmt interface EIP:
    Dataplane interface eth1/1
    • Private IP:
    • EIP (if required):
    • Security Group:
    Dataplane interface eth1/2
    • Private IP:
    • EIP (if required):
    • Security Group:
    EC2 Instance 2 (Application to be secured)
    Repeat these set of values for additional application(s) being deployed.
    Subnet:
    Instance type:
    Mgmt interface IP:
    Default gateway:
    Dataplane interface 1
    • Private IP:
    Requirements for HA
    If you are deploying the VM-Series firewalls in a high availability (active/passive) configuration, you must ensure the following:
    • Create an IAM role and assign the role to the VM-Series firewall when you are deploying the instance. See IAM Roles for HA.
    • Deploy the HA peers in the same AWS availability zone.
    • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.
    The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
    Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo