Palo Alto Networks Knowledgebase: VM-Series for AWS Auto Scaling
VM-Series for AWS Auto Scaling
Created On 09/25/18 18:55 PM - Last Updated 07/17/19 22:30 PM
Scaling security with AWS workloads
This week, we delivered a set of scripts and templates to solve the challenge of scaling security in conjunction with workloads in AWS. The new feature set for the VM-Series on AWS natively integrates with AWS Auto Scaling and Elastic Load Balancing (ELB), allowing the VM-Series to scale dynamically yet independently of your fluctuating AWS workloads. Auto Scaling the VM-Series on AWS leverages two load balancers, effectively creating a load balancer sandwich that enables your VM-Series firewalls to scale independently of your AWS workloads based on metrics.
Dynamic scaling of VM-Series on AWS
Using native AWS services and standard VM-Series (PAN-OS) automation features, you can now scale the VM-Series on AWS dynamically, as your protected workload demands fluctuate. Here’s a bit more detail on the solution components and how they are used.
AWS CloudFormation Template is used to deploy the entire solution from an AWS CloudFormation template. This creates a simple-to-deploy, all-inclusive Auto Scaling the VM-Series on AWS solution.
AWS Lambda is used for several predefined services including: add network interfaces (ENIs) on newly deployed VM-Series instances, monitor VM-Series traffic metrics, and communicate with Amazon CloudWatch (via SNS).
AWS S3 is used to store the VM-Series bootstrap configuration and the Lambda scripts. S3 storage can also be used to store other types of files, such as other AWS CloudFormation Templates, used for additional automation.
Amazon CloudWatch monitors the AWS workloads, collecting relevant statistics that can be used in conjunction with the VM-Series metrics to initiate the deployment or removal of a VM-Series firewall.
Bootstrapping (VM-Series/PAN-OS) allows you to create a fully configured VM-Series firewall instance. Each bootstrapped firewall can include firewall configuration, security policies, content updates and inclusion in a Panorama™ network security management device group.
PAN-OS® (VM-Series/PAN-OS) API pulls user-defined metrics from the VM-Series firewall and uses Lambda to send them to CloudWatch.
Panorama can optionally be used to centrally manage the entire solution.
How it works
The AWS CloudFormation Template deploys an initial VM-Series firewall Auto Scaling Group using a bootstrapped image stored in AWS S3. PAN-OS bootstrapping can also automatically attach the VM-Series firewall to Panorama if it has been deployed.
As traffic hitting your web server (or workload) increases, CloudWatch monitors the traffic, initiating alarms based on user-defined metrics and ultimately the addition of a new web server. As the web server traffic increases, so too does the VM-Series traffic, which is where Lambda comes in to play. Lambda collects VM-Series metrics via the XML API and feeds them to CloudWatch as custom metrics, triggering a VM-Series scale-out event using the bootstraped VM-Series firewall image. As traffic to the web server winds down, a scale-in event is triggered based on defined CloudWatch metrics and the VM-Series is removed.
Production-ready scripts and templates
The Auto Scaling the VM-Series on AWS feature set is production ready, meaning if you use the scripts and templates as they are designed, and if you run into a challenge, you can contact the support team for assistance. To learn more about the innovative way in which we solved the scaling challenge, watch the Auto Scaling the VM-Series on AWS Lightboard and demo here.
If you’re already using the VM-Series and want to try it out, you can find all the necessary resources here. Note that Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2, in either an annual or an hourly subscription.