VM-Series Integration with AWS Warm Pool
Accelerate VM-Series firewall scaling in AWS using warm pools. Reduce boot times to
90 sec for continuous security and rapid traffic handling.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- PAN-OS® 11.2.11 or later and 12.1.5 or later
- Network administrator or superuser access
|
The AWS Warm Pool feature integrates your Palo Alto Networks® VM-Series
firewalls with AWS ASG warm pool support. With this integration, you can choose to
maintain a pool of pre-initialized VM-Series instances, significantly reducing the time
required for them to become operational during scale-out events.
Traditional VM-Series scaling in AWS can take 15 to 20 minutes for a new
instance to become fully operational. This impacts application availability and security
posture during traffic spikes. AWS warm pools mitigate this by pre-initializing
firewalls, allowing them to enter service in under 90 seconds. This improves the
responsiveness of your security infrastructure.
When your ASG scales out, a pre-initialized VM-Series instance from the warm pool
transitions to the InService state. Credit consumption only
happens in InService state transition and not for warm
instances.
AWS Warm Pool Integration
Palo Alto Networks VM-Series firewalls integrate with AWS Auto Scaling Group (ASG)
warm pools to enhance scaling capabilities. The following are the key components
that orchestrate the lifecycle of your firewall instances within AWS.
VM-Series Firewall Instances
These instances are the core security appliances providing network
security services. Within the warm pool context, these are the instances
pre-initialized and managed, ready to scale out rapidly.
AWS Auto Scaling Group (ASG)
The ASG acts as the container and manager for your VM-Series instances.
It dynamically adds or removes instances from service based on demand and
health. The Warm Pool is an integral part of the ASG's scaling mechanism,
providing a ready pool of instances.
IAM Role
You must attach an AWS Identity and Access Management (IAM) role with
specific permissions to your VM-Series instances. This role grants authority to
the firewall to interact with AWS Auto Scaling services, specifically to update
the instance's health status within the ASG. The IAM policy must include the
following permissions:
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:CompleteLifecycleAction",
"autoscaling:DescribeLoadBalancerTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"logs:CreateLogGroup", "logs:CreateLogStream",
"logs:PutLogEvents"
Ensure that the firewall allows these permissions. Additionally, include
logs:permissions are needed for monitoring and debugging of Cloudwatch log.
Dependencies and Interactions
The AWS Warm Pool feature for VM-Series firewalls relies on seamless interaction with
the following AWS and Palo Alto Networks services:
- AWS Services - CloudWatch - Used for publishing logs related
to warm pool operations. This allows you to monitor provisioning status and
debug issues.
- Lifecycle Hooks - Lifecycle hooks are customizable actions defined
within the ASG that pause instance transitions at specific points. This
allows the firewall to perform provisioning tasks before the instance
proceeds. Two lifecycle hooks are mandatory for this feature:
- LaunchLifecycleHook - Used for transitions from
Warmed:Pending:Wait to Warmed:Pending:Proceed and from Pending to
InService. Configure the heartbeat timeout to accommodate the full
configuration push and provisioning time for the firewall, typically
ranging from 5 to 20 minutes (for example, 600 seconds or more). The
default result for this hook must be CONTINUE.
- TerminateLifecycleHook - Used for instance termination,
allowing for cleanup actions such as delicensing and public IP
release. A timeout of 300 seconds with a default result of ABANDON
is suggested for this hook.
