How Does the VM-Series Auto Scaling Template for AWS (v2.0
and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale
out of firewalls within the ASG.
VM-Series firewall scale in and scale out using VM-Series
firewalls that are deployed using auto scaling templates based on custom PAN-OS metrics. The VM-Series firewalls
natively publish these metrics to the Amazon CloudWatch console
and, based on the metrics you choose for the scaling parameters,
you can define CloudWatch alarms and policies to dynamically deploy
or terminate instances for managing the application traffic in your
The firewalls publish metrics to AWS CloudWatch every five minutes
(by default). When a monitored metric reaches the configured threshold
for the defined time interval, CloudWatch triggers an
alarm and initiates an auto-scaling event.
When the auto-scaling event triggers the deployment of a new
firewall, the new instance bootstraps at launch and an AWS Lambda
function configures the firewall with NAT policy rules. A NAT policy
rule is created for each application and the rule references the
IP addresses for each network load balancer in your deployment. When
the application load balancer receives a request, it forwards the
request to the firewall on the assigned TCP port. The firewall then
inspects the traffic and forwards it to the corresponding network
load balancer, which then forwards the request to a web server in
its target group.