AWS Auto Scaling Integration- Another Problem Solved Through Innovation

Matt Keil

We strive to solve customer problems in an innovative manner that doesn’t slow business productivity. The core features of our next-generation firewall solved the inadequacies of port-based filtering. WildFire and AutoFocus delivered on the promise of a global threat intelligence cloud, preventing unknown threats and helping customers make actionable the intelligence gathered to more effectively protect their network.

Now comes a new feature set for our VM-Series on Amazon Web Services (AWS) that natively integrates with AWS Auto Scaling and Elastic Load Balancing (ELB), allowing the VM-Series on AWS to scale dynamically, yet independently of fluctuating AWS workloads. Auto Scaling the VM-Series on AWS leverages two load balancers, effectively creating a load balancer sandwich that enables VM-Series firewalls to scale independently of AWS workloads, based on metrics.

Palo Alto Networks worked with the AWS team to design a solution that uses native AWS services and standard VM-Series (PAN-OS) automation features to dynamically, yet independently, scale the VM-Series on AWS as protected workload demands fluctuate. Here’s a bit more detail on the solution components and how they are used:

  • AWS CloudFormation Template is used to deploy the entire solution from an AWS CloudFormation template. This creates a simple-to-deploy, all-inclusive Auto Scaling the VM-Series on AWS solution.
  • AWS Lambda is used for several predefined services, including: add network interfaces (ENIs) on newly deployed VM-Series instances, monitor VM-Series traffic metrics, and communicate with Amazon CloudWatch (via SNS).
  • AWS S3 is used to store the VM-Series bootstrap configuration and the Lambda scripts. S3 storage can also be used to store other types of files, such as other AWS CloudFormation Templates, used for additional automation.
  • Amazon CloudWatch monitors the AWS workloads, collecting relevant statistics that can be used in conjunction with the VM-Series metrics to initiate the deployment or removal of a VM-Series firewall.
  • Bootstrapping (VM-Series/PAN-OS) allows you to create a fully configured VM-Series firewall instance. Each bootstrapped firewall can include firewall configuration, security policies, content updates, and inclusion in a Panorama network security management device group.
  • PAN-OS (VM-Series/PAN-OS) API pulls user-defined metrics from the VM-Series firewall and uses Lambda to send them to CloudWatch.
  • Panorama can optionally be used to centrally manage the entire solution.

How It Works

The AWS CloudFormation Template deploys an initial VM-Series firewall Auto Scaling Group using a bootstrapped image stored in AWS S3. The VM-Series bootstrapped image can also automatically attach the VM-Series firewall to Panorama if it has been deployed.

As traffic hitting your web server increases, CloudWatch monitors the traffic, initiating alarms based on user-defined metrics and, ultimately, the addition of a new web server. As the web server traffic increases, so too does the VM-Series traffic, which is where Lambda comes in to play. Lambda collects VM-Series metrics via the XML API and feeds them to CloudWatch as custom metrics, triggering a VM-Series scale-out event using the bootstrapped VM-Series firewall image. As traffic to the web server winds down, a scale-in event is triggered based on defined CloudWatch metrics, and the VM-Series is removed.

The Auto Scaling the VM-Series on AWS feature set is production ready, meaning if you use the scripts and templates as they are designed and run into a challenge, you can call the support team for assistance.

To learn more about the innovative way in which we solved the scaling challenge:

Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2, in either an annual or an hourly subscription. BYOL is not supported for Auto Scaling the VM-Series on AWS.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.