How Does the VM-Series Auto Scaling Template for AWS (v2.0
and v2.1) Enable Dynamic Scaling?
Understand how PAN-OS metrics trigger scale in and scale
out of firewalls within the ASG.
VM-Series firewall scale in and scale out using VM-Series
firewalls that are deployed using auto scaling templates based on custom PAN-OS metrics.
The VM-Series firewalls natively publish these metrics to the Amazon
CloudWatch console and, based on the metrics you choose for the
scaling parameters, you can define CloudWatch alarms and policies
to dynamically deploy or terminate instances for managing the application
traffic in your AWS deployment.
The firewalls publish metrics to AWS CloudWatch every five minutes
(by default). When a monitored metric reaches the configured threshold
for the defined time interval, CloudWatch triggers an
alarm and initiates an auto-scaling event.
When the auto-scaling event triggers the deployment of a new
firewall, the new instance bootstraps at launch and an AWS Lambda
function configures the firewall with NAT policy rules. A NAT policy
rule is created for each application and the rule references the
IP addresses for each network load balancer in your deployment.
When the application load balancer receives a request, it forwards
the request to the firewall on the assigned TCP port. The firewall
then inspects the traffic and forwards it to the corresponding network
load balancer, which then forwards the request to a web server in
its target group.