As you deploy or terminate virtual machines in the AWS public cloud, you can either use the Panorama plugin for AWS or use the VM Information sources on the firewall to consistently enforce security policy rules on these workloads. See the Compatibility Matrix for Panorama plugin version information.

The Panorama plugin for AWS version 2.0 is built for scale and allows you to monitor up to 1000 AWS VPCs on the AWS public cloud. With this plugin, you use Panorama as an anchor to poll your AWS accounts for tags, and then distribute the metadata (IP address-to-tag mapping) to many firewalls in a device group. Because Panorama communicates with your AWS accounts to retrieve VM information, you’re able to streamline the number of API calls made to the cloud environment. When using Panorama and the AWS plugin, you can centralize the retrieval of tags and Security policy management to ensure consistent policies for hybrid and cloud-native architectures. See VM Monitoring with the AWS Plugin on Panorama.

If you do not have Panorama or you have a simpler deployment and need to monitor 10 VPCs or fewer, you can use the VM Information Source on the firewall (hardware or VM-Series firewall) to monitor your AWS workloads. You can use the metadata, which the firewall retrieves, in Dynamic Address Groups and reference them in Security policies to secure your VM workloads as they spin up or down and IP addresses change frequently. See Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC.