>
    Strata Copilot
    VM-Series on Amazon Web Services Performance and Capacity
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series on Amazon Web Services Performance and Capacity
    Download PDF
    VM-Series

    VM-Series on Amazon Web Services Performance and Capacity

    Table of Contents

    VM-Series on Amazon Web Services Performance and Capacity

    View performance and capacity information for the VM-Series on AWS.
    Where Can I Use This?What Do I Need?
    • VM-Series
    • VM-Series
    • Panorama
    • VM-Series licenses

    11.1

    VM-Series on AWS performance and capacity for public clouds.
    Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance.
    We recommend additional testing within your environment to ensure that you meet your performance and capacity requirements. For a complete listing of all VM-Series features and capacities, see compare VM-Series firewalls. The performance and capacities listed in the following table have been generated under these test conditions:
    • Firewall throughput is measured with App-ID™ technology features enabled utilizing 64 KB HTTP 1.1 transactions.
    • IPsec VPN is measured with App-ID™ enabled and performance is tested between a pair of VM-Series firewall instances in a placement group deployed within the same availability zone and region and with 12 tunnels with a single IKE gateway. The performance will vary based on AWS instance type and connectivity topology (for example, connecting from on-premises hardware to VM-Series on AWS, or from VM-Series in an AWS VPC to an AWS VGW in another VPC, or VM-Series to VM-Series across regions).
    • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP 1.1 transactions.
    • Tested on instances with AWS Nitro Hypervisor and SR-IOV and DPDK are enabled.
    Model
    2 vCPUs
    (formerly VM-100)
    4 vCPUs)
    (formerly VM-300)
    8 vCPUs
    (formerly VM-500)
    16 vCPUs
    (formerly VM-700)
    32 vCPUs
    64 vCPUs
    AWS instance size tested
    c6in.xlarge
    c6in.xlarge
    c6in.2xlarge
    c6in.4xlarge
    c6in.8xlarge
    c6in.16xlarge
    Firewall throughput (App-ID enabled)
    3 Gbps
    5 Gbps
    10 Gbps
    17 Gbps
    30 Gbps
    40 Gbps*
    Threat Prevention throughput
    1 Gbps
    2 Gbps
    5 Gbps
    9 Gbps
    16 Gbps
    30 Gbps*
    IPsec VPN throughput
    1 Gbps
    2 Gbps
    4 Gbps
    8 Gbps
    14 Gbps
    20 Gbps*
    *estimated

    11.0

    VM-Series on AWS performance and capacity for public clouds.
    Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance.
    We recommend additional testing within your environment to ensure that you meet your performance and capacity requirements. For a complete listing of all VM-Series features and capacities, see compare VM-Series firewalls. The performance and capacities listed in the following table have been generated under these test conditions:
    • Firewall throughput is measured with App-ID™ technology features enabled utilizing 64 KB HTTP 1.1 transactions.
    • IPsec VPN is measured with App-ID™ enabled and performance is tested between a pair of VM-Series firewall instances in a placement group deployed within the same availability zone and region. The performance will vary based on AWS instance type and connectivity topology.
    • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP 1.1 transactions.
    • Tested on instances with AWS Nitro Hypervisor and SR-IOV and DPDK are enabled.
    Model
    2 vCPUs
    (formerly VM-100)
    4 vCPUs)
    (formerly VM-300)
    8 vCPUs
    (formerly VM-500)
    16 vCPUs
    (formerly VM-700)
    32 vCPUs
    64 vCPUs
    AWS instance size tested
    c6in.xlarge
    c6in.xlarge
    c6in.2xlarge
    c6in.4xlarge
    c6in.8xlarge
    c6in.16xlarge
    Firewall throughput (App-ID enabled)
    3 Gbps
    5 Gbps
    10 Gbps
    17 Gbps
    30 Gbps
    40 Gbps*
    Threat Prevention throughput
    1 Gbps
    2 Gbps
    5 Gbps
    9 Gbps
    16 Gbps
    30 Gbps*
    IPsec VPN throughput
    1 Gbps
    2 Gbps
    4 Gbps
    8 Gbps
    14 Gbps
    20 Gbps*
    *estimated

    10.2

    VM-Series on AWS performance and capacity for public clouds.
    Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance.
    We recommend additional testing within your environment to ensure that you meet your performance and capacity requirements. For a complete listing of all VM-Series features and capacities, see compare VM-Series firewalls. The performance and capacities listed in the following table have been generated under these test conditions:
    • Firewall throughput is measured with App-ID™ technology features enabled utilizing 64 KB HTTP 1.1 transactions.
    • IPsec VPN is measured with App-ID™ enabled and performance is tested between a pair of VM-Series firewall instances in a placement group deployed within the same availability zone and region and with 12 tunnels with a single IKE gateway. The performance will vary based on AWS instance type and connectivity topology (for example, connecting from on-premises hardware to VM-Series on AWS, or from VM-Series in an AWS VPC to an AWS VGW in another VPC, or VM-Series to VM-Series across regions).
    • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP 1.1 transactions.
    • Tested on instances with AWS Nitro Hypervisor and SR-IOV and DPDK are enabled.
    Model
    2 vCPUs
    (formerly VM-100)
    4 vCPUs)
    (formerly VM-300)
    8 vCPUs
    (formerly VM-500)
    16 vCPUs
    (formerly VM-700)
    AWS instance size tested m5.large m5.xlarge m5.2xlargem5.4xlarge
    Firewall throughput (App-ID enabled)1.9 Gbps 3.7 Gbps 7.9 Gbps 8.0 Gbps
    Threat Prevention throughput 0.8 Gbps1.5 Gbps 3.7 Gbps 7.2 Gbps
    IPsec VPN throughput1.3 Gbps 2.7 Gbps4.2 Gbps 4.8 Gbps

    10.1

    VM-Series on AWS performance and capacity for public clouds.
    Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance.
    We recommend additional testing within your environment to ensure that you meet your performance and capacity requirements. For a complete listing of all VM-Series features and capacities, see compare VM-Series firewalls. The performance and capacities listed in the following table have been generated under these test conditions:
    • Recommended AWS Instance types (c5/m5/c5n/m5n) and sizes that use the AWS Nitro Hypervisor with Enhanced Networking Adapter (ENA). Additionally, SR-IOV and DPDK are enabled and AWS placement groups are configured.
    • Firewall throughput is measured with App-ID technology features enabled utilizing 64 KB HTTP 1.1 transactions.
    • IPSec VPN is measured with App-ID™ enabled and performance is tested between a pair of VM-Series firewall instances in a placement group deployed within the same availability zone and region. The performance will vary based on AWS instance type and connectivity topology (for example, connecting from on-premises hardware to VM-Series on AWS, or from VM-Series in an AWS VPC to an AWS VGW in another VPC, or VM-Series to VM-Series across regions).
    • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP 1.1 transactions.
    Model VM-50 / VM-50 Lite*VM-100VM-300VM-500 VM-700
    AWS instance size tested (recommended**)N/Am5.large m5.xlarge m5.2xlargem5.4xlarge
    Firewall throughput (App-ID enabled)N/A 2.1 Gbps 4.3 Gbps 9.0 Gbps 10.2 Gbps
    Threat Prevention throughput N/A1.0 Gbps1.9 Gbps 4.1 Gbps 7.8 Gbps
    IPSec VPN throughput*** N/A 0.9 Gbps 1.6 Gbps3.0 Gbps 3.3 Gbps
    *The VM-50 and VM-50 Lite are not supported on AWS. See VM-Series on AWS Instances.
    **Refers to recommended AWS instance size of a supported AWS instance type based on CPU cores, memory, network interfaces and pricing. For example, m5.xlarge instance (with 4 vCPUs, 16GB memory, 4ENIs at its price is recommended to support VM-300 model for a range of common use cases.
    ***IPsec VPN Throughput is tested on the VM-100 with 1 tunnel, VM-300 with 2 tunnels, VM-500 with 6 tunnels, and VM-700 with 12 tunnels.

    © 2026 Palo Alto Networks, Inc. All rights reserved.