How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Understand how PAN-OS metrics trigger scale in and scale out of firewalls within the ASG.
VM-Series firewall scale in and scale out using VM-Series firewalls that are deployed using auto scaling templates based on custom PAN-OS metrics. The VM-Series firewalls natively publish these metrics to the Amazon CloudWatch console and, based on the metrics you choose for the scaling parameters, you can define CloudWatch alarms and policies to dynamically deploy or terminate instances for managing the application traffic in your AWS deployment.
The firewalls publish metrics to AWS CloudWatch every five minutes (by default). When a monitored metric reaches the configured threshold for the defined time interval, CloudWatch triggers an alarm and initiates an auto-scaling event.
When the auto-scaling event triggers the deployment of a new firewall, the new instance bootstraps at launch and an AWS Lambda function configures the firewall with NAT policy rules. A NAT policy rule is created for each application and the rule references the IP addresses for each network load balancer in your deployment. When the application load balancer receives a request, it forwards the request to the firewall on the assigned TCP port. The firewall then inspects the traffic and forwards it to the corresponding network load balancer, which then forwards the request to a web server in its target group.

Recommended For You