We strive to solve customer problems in an innovative manner that doesn't slow business productivity. The core features of our next-generation firewall solved the inadequacies of port-based filtering. WildFire and AutoFocus delivered on the promise of a global threat intelligence cloud, preventing unknown threats and helping customers make actionable the intelligence gathered to more effectively protect their network.
Now comes a new feature set for our VM-Series on Amazon Web Services (AWS) that natively integrates with AWS Auto Scaling and Elastic Load Balancing (ELB), allowing the VM-Series on AWS to scale dynamically, yet independently of fluctuating AWS workloads. Auto Scaling the VM-Series on AWS leverages two load balancers, effectively creating a load balancer sandwich that enables VM-Series firewalls to scale independently of AWS workloads, based on metrics.
Palo Alto Networks worked with the AWS team to design a solution that uses native AWS services and standard VM-Series (PAN-OS) automation features to dynamically, yet independently, scale the VM-Series on AWS as protected workload demands fluctuate. Here’s a bit more detail on the solution components and how they are used:
- AWS CloudFormation Template is used to deploy the entire solution from an AWS CloudFormation template. This creates a simple-to-deploy, all-inclusive Auto Scaling the VM-Series on AWS solution.
- AWS Lambda is used for several predefined services, including: add network interfaces (ENIs) on newly deployed VM-Series instances, monitor VM-Series traffic metrics, and communicate with Amazon CloudWatch (via SNS).
- AWS S3 is used to store the VM-Series bootstrap configuration and the Lambda scripts. S3 storage can also be used to store other types of files, such as other AWS CloudFormation Templates, used for additional automation.
- Amazon CloudWatch monitors the AWS workloads, collecting relevant statistics that can be used in conjunction with the VM-Series metrics to initiate the deployment or removal of a VM-Series firewall.
- Bootstrapping (VM-Series/PAN-OS) allows you to create a fully configured VM-Series firewall instance. Each bootstrapped firewall can include firewall configuration, security policies, content updates, and inclusion in a Panorama network security management device group.
- PAN-OS (VM-Series/PAN-OS) API pulls user-defined metrics from the VM-Series firewall and uses Lambda to send them to CloudWatch.
- Panorama can optionally be used to centrally manage the entire solution.
How It Works
The AWS CloudFormation Template deploys an initial VM-Series firewall Auto Scaling Group using a bootstrapped image stored in AWS S3. The VM-Series bootstrapped image can also automatically attach the VM-Series firewall to Panorama if it has been deployed.
As traffic hitting your web server increases, CloudWatch monitors the traffic, initiating alarms based on user-defined metrics and, ultimately, the addition of a new web server. As the web server traffic increases, so too does the VM-Series traffic, which is where Lambda comes in to play. Lambda collects VM-Series metrics via the XML API and feeds them to CloudWatch as custom metrics, triggering a VM-Series scale-out event using the bootstrapped VM-Series firewall image. As traffic to the web server winds down, a scale-in event is triggered based on defined CloudWatch metrics, and the VM-Series is removed.
The Auto Scaling the VM-Series on AWS feature set is production ready, meaning if you use the scripts and templates as they are designed and run into a challenge, you can call the support team for assistance.
To learn more about the innovative way in which we solved the scaling challenge:
- Visit the VM-Series for AWS resource page
- Access all the necessary Auto Scaling the VM-Series in AWS resources if you’re already using the VM-Series and ready to give it a try.
Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2, in either an annual or an hourly subscription. BYOL is not supported for Auto Scaling the VM-Series on AWS.