Auto Scaling VM-Series Firewalls with the Amazon ELB Service

The Palo Alto Networks auto scaling templates for AWS help you deploy configure and deploy VM-Series firewalls to protect applications deployed in AWS. The templates leverage AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in application workload resource demand.
  • VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1).
  • AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS:
  • Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application ASGs in a single Virtual Private Cloud (VPC) or multiple VPCs.
    In version 2.0, Palo Alto Networks supports the firewall template while the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details.
  • Version 2.1 adds support for deployment in a single VPC and adds support for a load balancer sandwich topology that enables you to deploy the VM-Series firewalls in to a front-end VPC and the back-end applications in to one or more application VPCs connected by VPC peering or AWS PrivateLink.
    In version 2.1 you can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. Version 2.1 includes two firewall templates and five application templates. See VM-Series Auto Scaling Templates for AWS Version 2.1 for deployment details.
If you have an existing template deployment, there is no migration procedure.
The following table compares some high-level features of each template version.
Features / Requirements
Version 2.0
Version 2.1
Panorama running PAN-OS 9.0.1 or a later release in Panorama mode.
Panorama in a high availability (HA) configuration is not supported.
(Optional)
If you choose to use Panorama, you must configure VPC peering between the VM-Series firewall VPC and the application VPCs. Peered traffic traverses the public internet.
(Required)
Deploy the Version 2.1 templates.
On Panorama, you must manually install the VM-Series plugin to enable VM-Series firewalls to publish PAN-OS metrics for auto scaling.
Bootstrapping
bootstrap.xml
config file in an S3 bucket.
An
init-cfg.txt
file for Panorama.
Palo Alto Networks S3 bucket sample
Use your own S3 bucket or use the sample in panw-aws-autoscale-v20-us-west-2.
Use your own S3 bucket for the deployment.
Single VPC or separate VPCs (hub and spoke)
Yes
Yes
New VPC
Yes
Yes
Existing VPC (brown field)
No
Yes
Availability zones per VPC
2
2-4
External load balancer
ALB only
ALB or NLB
Internal load balancer
NLB only
ALB or NLB
AWS PrivateLink connection to the VM-Series firewall VPC and the backend servers.
No
Yes
For details on the templates see:

Recommended For You