What Components Does the VM-Series Auto Scaling Template
for AWS (v2.0) Leverage?
The VM-Series Auto Scaling template for AWS includes the following building blocks:
(Palo Alto Networks officially supported template)
firewall-v2.0.templatedeploys a new VPC with subnets, route tables, an AWS NAT gateway, two Availability Zones (AZs), and security groups required for routing traffic across these AZs. This version 2.0 template also deploys an external ALB, and an ASG with a VM-Series firewall in each AZ.
Due to the many variations in a production environment that includes but is not limited to a specific number components, such as subnets, availability zones, route tables, and security groups. You must deploy the
firewall-v2.0.templatein a new VPC.
VM-Series Auto Scaling template for AWS does not deploy Panorama and Panorama is optional. Panorama provides ease of policy management and central visibility. If you want to use Panorama to manage the VM-Series firewalls that the solution deploys, you can either use an M-Series appliance or Panorama virtual appliance inside your corporate network or you can use a Panorama virtual appliance on AWS.
This solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
(Community supported template)
The application template deploys an NLB and an ASG with a web server in each AZ. Because the NLB has a unique IP address for each AZ and the NAT policy rule on the firewalls must reference a single IP address, there is one ASG for each of the two AZs. All firewalls in an ASG use an identical configuration.
Version 2.0 of the auto scaling solution includes two application templates:
AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In the
firewall-v2.0.template, AWS Lambda monitors a Simple Queue Service (SQS) to learn about NLBs that publish to the queue. When the Lambda function detects a new NLB, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application and the firewalls use the NAT policy rule (that maps the port to NLB IP address) to forward traffic to the NLB in front of the application web servers.
You need to create the Security policy rule to allow or deny application traffic for your deployment. The sample
bootstrap.xmlfile does not include any Security policy rules. You should use Panorama to centrally manage your firewalls and simplify creating Security policy rules.
There are additional functions:
To learn more about the Lambda functions, refer to
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the sample credentials in the bootstrap.xml prior to launch.
This solution requires the init-cfg.txt file and the bootstrap.xml file so that the VM-Series firewall has the basic configuration for handling traffic.
To deploy the solution, see Launch the VM-Series Auto Scaling Template for AWS (v2.0).
Recommended For You
Recommended videos not found.