What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

cft_components.png
The VM-Series Auto Scaling template for AWS includes the following building blocks:
Building Block
Description
Firewall template
(Palo Alto Networks officially supported template)
The
firewall-v2.0.template
deploys a new VPC with subnets, route tables, an AWS NAT gateway, two Availability Zones (AZs), and security groups required for routing traffic across these AZs. This version 2.0 template also deploys an external ALB, and an ASG with a VM-Series firewall in each AZ.
Due to the many variations in a production environment that includes but is not limited to a specific number components, such as subnets, availability zones, route tables, and security groups. You must deploy the
firewall-v2.0.template
in a new VPC.
VM-Series Auto Scaling template for AWS does not deploy Panorama and Panorama is optional. Panorama provides ease of policy management and central visibility. If you want to use Panorama to manage the VM-Series firewalls that the solution deploys, you can either use an M-Series appliance or Panorama virtual appliance inside your corporate network or you can use a Panorama virtual appliance on AWS.
This solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
Application template
(Community supported template)
The application template deploys an NLB and an ASG with a web server in each AZ. Because the NLB has a unique IP address for each AZ and the NAT policy rule on the firewalls must reference a single IP address, there is one ASG for each of the two AZs. All firewalls in an ASG use an identical configuration.
Version 2.0 of the auto scaling solution includes two application templates:
  • The
    panw_aws_nlb-v2.0.template
    allows you to deploy the application template resources within the same VPC as the one in which you deployed the firewall template (same AWS account).
  • The
    panw_aws_nlb_vpcv-2.0.template
    allows you to deploy the application template resources in a separate VPC using the same AWS account or multiple AWS accounts.
Lambda functions
AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In the
firewall-v2.0.template
, AWS Lambda monitors a Simple Queue Service (SQS) to learn about NLBs that publish to the queue. When the Lambda function detects a new NLB, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application and the firewalls use the NAT policy rule (that maps the port to NLB IP address) to forward traffic to the NLB in front of the application web servers.
You need to create the Security policy rule to allow or deny application traffic for your deployment. The sample
bootstrap.xml
file does not include any Security policy rules. You should use Panorama to centrally manage your firewalls and simplify creating Security policy rules.
There are additional functions:
  • Adds or removes an interface (ENI) when a firewall is launched or terminated.
  • Deletes all the associated resources when you delete a stack or terminate an instance.
  • Removes a firewall as a Panorama managed device when there is a scale-in event.
  • Deactivates the BYOL license when a scale-in event results in a firewall termination.
To learn more about the Lambda functions, refer to
http://paloaltonetworks-aws-autoscale-2-0.readthedocs.io/en/latest/
Bootstrap files
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
  • The
    init-cfg.txt
    file includes the mgmt-interface-swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). This auto-scaling solution requires the swapping of the dataplane and management interfaces to enable the ALB to forward web traffic to the auto-scaling tier of VM-Series firewalls. For details, see Management Interface Mapping for Use with Amazon ELB.
  • The
    bootstrap.xml
    file enables basic connectivity for the firewall network interfaces and allows the firewall to connect to the AWS CloudWatch namespace that matches the stack name you enter when you launch the template.

Recommended For You