VM-Series for AWS Sizing

VM-Series for AWS Sizing

Created On 09/25/18 15:12 PM - Last Modified 05/18/23 08:54 AM


Topics covered in this article:
  • VM-Series on AWS Sizing
  • VM-Series licensing and model choice
  • AWS Instance type choice
  • Changing instance types


  • Virtualization
  • AWS VM-Series Firewall


VM-Series on AWS Sizing

When sizing your VM-Series on AWS Instance, there are many factors to consider including your projected throughput (VM-Series model), the deployment type (e.g., VPC to VPC or Internet facing) and network speed requirements (ENIs).This article will cover the factors below impact your Instance size.

  • VM-Series model (VM-50, -100, -200, -300, -500, -700 or -1000HV)
  • AWS instance type: vCPU, memory and network interfaces
  • Network performance of the AWS instance type


VM-Series licensing and model choice

The VM-Series on AWS can be licensed using consumption-based licensing via the AWS Marketplace, bring-your-own-license and the VM-Series Enterprise Licensing Agreement (VM-Series ELA).

  • Consumption-based licensing: Use your AWS Management Console to purchase and deploy VM-Series hourly or annual subscription bundles directly from the AWS Marketplace.
    • Bundle 1 contents: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, malware prevention) and Premium Support (written and spoken English only).
    • Bundle 2 contents: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, malware prevention), WildFire, URL Filtering and GlobalProtect subscriptions and Premium Support (written and spoken English only).
  • Bring-your-own-license: Any one of the VM-Series models, along with the associated subscriptions and support, are purchased via normal Palo Alto Networks channels and then deployed via a license authorization code through your AWS Management Console.
  • VM-Series Enterprise Licensing Agreement: For large scale deployments on AWS or across multiple virtualization environments, the VM-Series ELA allows you to forecast, and purchase upfront, the VM-Series firewalls to be deployed over a 1- or 3- year period. The VM-Series ELA gives you a single license authorization code used for the life of the term, resulting in a predictable security spend and simplifying the licensing process by establishing a single start and end date for all VM-Series licenses and subscriptions. Each VM-Series ELA includes a VM-Series firewall, subscriptions for Threat Prevention, URL Filtering, WildFire™, GlobalProtect™ Gateway, unlimited Panorama Virtual Machine licenses and Support.


To help guide your choice, please  review the licensing options article. The VM-Series model you choose for a BYOL deployment should be based on the capacities of the models and deployment use case. Use the data sheets, product comparison tool and documentation for selecting the model.


AWS Instance type choice

Performance of VM-Series is dependent on capabilities of the AWS instance type. Larger instance types have more vCPUs, more memory, more elastic network interfaces (ENI’s), and better network performance in terms of throughput, latency and packets per second. Larger instance sizes can be used with smaller VM-Series models. If a larger instance size is used for the VM-Series, only the max vCPU cores and memory shown in the table will be fully utilized, but it can take advantage of the faster network performance provided by AWS.


VM-Series on AWS supports the enhanced networking features of AWS which includes supports SR-IOV and DPDK for higher throughput on all VM-Series supported instance types. SR-IOV is enabled default, while DPDK can be enabled as an optional feature outlined in the AWS documentation. The VM-Series datasheet provides detailed throughput metrics based on the VM-Series model and AWS instance type.

User-added image

Table 1: Supported AWS instance types based on the vCPU and memory required for each VM-Series model. * Refers to recommended size based on vCPU cores, memory, number of ENI’s, and support for Enhanced networking. Note: The VM-50 is not supported in AWS.


A final consideration will be the MTU size (1500 bytes or 9001 byte jumbo frames) you choose based on the AWS documentation and whether your use case is an Internet facing deployment or uses IPSec, versus a deployment that is only connecting between instances inside a VPC.


Changing instance types

The safest method of choosing an AWS instance type for the VM-Series is to use the guidance above and then pad your result a bit. Run the firewall and monitor the performance for a few weeks. Use a combination of AWS monitoring tools and PAN-OS to monitor the real-world performance of the firewall.  After you have real data, you can resize the instance type lower or higher as needed. You will need to stop the instance to change the size, so you will need to schedule an outage or use a combination of HA and/or load balancing to minimize the impact.


Note: Annual subscriptions combine the VM-Series model (Bundle 1 or Bundle 2) with a specific instance type at the time of purchase. Changing an instance type is not supported by AWS without a manual cancellation process. Refer to AWS FAQ on annual subscriptions for more information.

  • Print
  • Copy Link


Choose Language