Ed Caswell
Consulting Engineer
Palo Alto Networks
Securing the Public Cloud
AWS Deployment Scenarios
4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Region 1
Web farm Web farm
Internal
ELB
AZ1 AZ2
External ELB
CloudFormation Template: Automates full
use case deployments
S3: AWS service where bootstrapping files
are stored
CloudWatch: Consumes metrics and makes
intelligent scale in/out decisions
Lambda: Code as a service pushes custom
metrics to CloudWatch via XML API
Auto Scale Groups (ASG): The firewalls are
members of an ASG that scales in/out based
on custom metrics
PAN-OS Bootstrapping: Automates
creation of fully configured firewall
PAN-OS API: enables delivery of custom
metric to CloudWacth
Panorama: Optional but highly
recommended to simplify VM-Series
management
Native AWS and PAN-OS/VM-Series Services Used
5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
AWS Services PAN-OS/VM-Series Services
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
1CFT deploys
base topology
ASG1
2 Initial firewalls are bootstrapped from S3
ASG2
Bootstrapping addsVM-Series firewalls toPanorama
Auto Scaling the VM-Series on AWS
6 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
3Standard metrics
sent to CloudWatch
4Alarm triggers ASG scale out
ASG2
Auto Scaling the VM-Series on AWS
7 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
5 l function collectsPAN-OS metrics via API
Custom metrics sent to CloudWatch
6
7
Alarm triggers FW ASG scale events
ASG2
Bootstrappingcontinues to add FWs to Panorama
l Functionremoves FWsfrom Panorama
Auto Scaling the VM-Series on AWS
8 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
IELB VIP 1 IELB VIP 2
AZ2
Web ASG
ASG1 ASG2
8l function monitorsfor ELB VIP changes IELB VIP 3
9l function deploys new
ASG with NAT rule for new VIP
ASG3
IELB VIP 4
ASG4
External ELB
Internal ELB
Auto Scaling the VM-Series on AWS
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region
Services VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
Region
Subscribing VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
DC-FW1
DC-FW2
Routing
Default route learned via DHCP from IGW on E1/1
Static route defined for enterprise network
Redistribution profile shares static routes with BGP peers
BGP routes propagated into local route table
SNAT on gateway firewall ensure symmetric return