Auto Scale VM-Series Firewalls with the Amazon ELB

Palo Alto Networks delivers CloudFormation Templates for deploying an auto-scaling tier of VM-Series firewalls using several AWS services such as Lambda, auto scaling groups, Elastic Load Balancing (ELB), S3, SNS, and CloudWatch, and the VM-Series automation capabilities including the PAN-OS API and bootstrapping. The templates (latest is vpc-classic-v1.2.template and vpc-alb-v1.2.template) allow you to leverage the AWS scalability features designed to manage sudden surges in demand for application workload resources by simultaneously scaling the VM-Series firewalls with changing workloads.
The templates deploy the VM-Series in an ELB sandwich topology with an internet-facing classic ELB and an either an internal classic load balancer or an internal application load balancer (internal ELB). The internet-facing ELB is accessible from the internet and distributes traffic that enters the VPC across a pool of VM-Series firewalls. The firewalls then redirect traffic using NAT policy to the internal ELB. The internal ELB, which is only accessible inside the VPC, distributes traffic to an auto scaling tier of web servers. The API integration with AWS CloudWatch allows the CloudWatch service to monitor the health and resource load on the EC2 instances—VM-Series firewalls and web servers—and then use that information to trigger a scale in or scale out event in the respective Auto Scaling Group (ASG).
cft_elb.png

Related Documentation