How Palo Alto Networks Scales Next-Gen Security on AWS

One of three articles in a series about security for the three major public cloud environments: AWS, Azure and Google.

In the public cloud, scalability challenges manifest themselves in two ways. The first is being able to accommodate dynamic traffic patterns, such as the spike following a new product launch or a holiday sales special. In these scenarios, both your workloads and your security solution need to scale seamlessly, yet independently. The second scalability challenge is being able to protect Amazon Web Services deployments with many, many VPCs or accounts while ensuring secure connectivity to corporate or web resources, or other VPCs, without incurring added cost and complexity.

To solve both of these scalability challenges, we have built a set of templates and scripts that utilize a range of AWS services and VM-Series features to automate secure, scalable deployments on AWS.


Auto Scaling the VM-Series on AWS 2.0

Utilizing native AWS services (e.g., Elastic Load Balancers, Lambda, CloudWatch) and VM-Series features (e.g., bootstrapping, XML API), our customers can deploy a fully integrated next-generation firewall solution that can scale dynamically with traffic patterns.

The solution deploys an AWS Application Load Balancer and an AWS Network Load Balancer as external and internal traffic distribution mechanisms, respectively, creating a “load balancer sandwich” that enables the VM-Series to scale dynamically, resulting in two significant operational benefits.

First, the on-demand nature of Auto Scaling for the VM-Series results in a more efficient use of security resources and lower associated costs. The second benefit is reduced administrative effort – all VM-Series firewalls use the same predefined bootstrap configuration and can be centrally managed with complete visibility via Panorama network security management. Auto Scaling the VM-Series on AWS 2.0 uses a hub-and-spoke architecture to simplify deployment and can support either a single, large VPC or many smaller VPCs. Scaling decisions are made based on VM-Series metrics fed directly to AWS CloudWatch, eliminating a Lambda function. To help simplify customization solution, the AWS CloudFormation Template has been re-designed.

  • Watch the new “Auto Scaling the VM-Series on AWS” Lightboard


Transit VPC With the VM-Series on AWS

Here we leverage a combination of AWS services (e.g., AWS CloudFormation Templates, Virtual Private Gateway, Lambda, and CloudTrail) and VM-Series automation features (e.g., bootstrapping, XML API) to create a centralized, hub-and-spoke security and connectivity architecture.

When fully deployed, VM-Series firewalls are deployed in the hub, performing secure connectivity and threat prevention functions for the subscribing VPCs, or “spokes.” Connectivity between VPC spokes to corporate locations or web resources will connect to and “transit” the hub VPC via an IPsec VPN and BGP while sharing VM-Series next-generation security services. Additional pairs of VM-Series firewalls are deployed automatically based on the defined ratio of VPC spokes per VM-Series firewall pair, either within an individual account or across multiple accounts. Using Panorama, security teams can deploy a range of security policies to protect your AWS deployment from threats. The Transit VPC with the VM-Series is a cost-effective, easy-to-manage alternative to backhauling traffic to a corporate firewall or deploying a VM-Series per VPC.

The Transit VPC with the VM-Series helps you reduce the cost of security while lowering administrative efforts by centralizing security in a shared services architecture that can support the varied application development group requirements. In some deployment scenarios, the Hub VPC may host additional services such as DNS and logging along with security and IPsec VPN connectivity.

These two solutions exemplify how next-generation security can be fully automated, enabling security teams to establish a strong security posture while allowing the users to operate at the speed of the cloud.

Check them out now on our Public Cloud integration resource page.