Ed Caswell

Consulting Engineer

Palo Alto Networks

Securing the Public Cloud

AWS Deployment Scenarios

in

ELB Interoperability

4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Region 1

Web farm Web farm

Internal

ELB

AZ1 AZ2

External ELB

CloudFormation Template: Automates full

use case deployments

S3: AWS service where bootstrapping files

are stored

CloudWatch: Consumes metrics and makes

intelligent scale in/out decisions

Lambda: Code as a service pushes custom

metrics to CloudWatch via XML API

Auto Scale Groups (ASG): The firewalls are

members of an ASG that scales in/out based

on custom metrics

PAN-OS Bootstrapping: Automates

creation of fully configured firewall

PAN-OS API: enables delivery of custom

metric to CloudWacth

Panorama: Optional but highly

recommended to simplify VM-Series

management

Native AWS and PAN-OS/VM-Series Services Used

5 | © 2015, Palo Alto Networks. Confidential and Proprietary.

AWS Services PAN-OS/VM-Series Services

Region 1

AZ1

External ELB

AZ2

Internal ELB

Web ASG

1CFT deploys

base topology

ASG1

2 Initial firewalls are bootstrapped from S3

ASG2

Bootstrapping addsVM-Series firewalls toPanorama

Auto Scaling the VM-Series on AWS

6 | © 2016, Palo Alto Networks. Confidential and Proprietary.

Region 1

AZ1

External ELB

AZ2

Internal ELB

Web ASG

ASG1

3Standard metrics

sent to CloudWatch

4Alarm triggers ASG scale out

ASG2

Auto Scaling the VM-Series on AWS

7 | © 2016, Palo Alto Networks. Confidential and Proprietary.

Region 1

AZ1

External ELB

AZ2

Internal ELB

Web ASG

ASG1

5 l function collectsPAN-OS metrics via API

Custom metrics sent to CloudWatch

6

7

Alarm triggers FW ASG scale events

ASG2

Bootstrappingcontinues to add FWs to Panorama

l Functionremoves FWsfrom Panorama

Auto Scaling the VM-Series on AWS

8 | © 2016, Palo Alto Networks. Confidential and Proprietary.

Region 1

AZ1

IELB VIP 1 IELB VIP 2

AZ2

Web ASG

ASG1 ASG2

8l function monitorsfor ELB VIP changes IELB VIP 3

9l function deploys new

ASG with NAT rule for new VIP

ASG3

IELB VIP 4

ASG4

External ELB

Internal ELB

Auto Scaling the VM-Series on AWS

9 | © 2016, Palo Alto Networks. Confidential and Proprietary.

InterVPC

Securing one VPC

IPSec VPN

DC-FW1

DC-FW2

AZ1

bWeb1-01

Web1-02

AZ1

c

Securing one VPC

AZ1

b

IPSec VPN

DC-FW1

DC-FW2

Web1-01

Web1-02

Web2-01

Web2-02

IPSec VPNs

Securing lots of VPCs

DC-FW1

DC-FW2

Marketing App

HR App

QA Environment

Dev Environment

Region

Services VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

Region

Subscribing VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

Region

Services VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

DC-FW1

DC-FW2

Services VPC + Hybrid + Internet Gateway

DC-FW1

DC-FW2

Routing

Default route learned via DHCP from IGW on E1/1

Static route defined for enterprise network

Redistribution profile shares static routes with BGP peers

BGP routes propagated into local route table

SNAT on gateway firewall ensure symmetric return

DC-FW1

DC-FW2

More scale

DC-FW1

DC-FW2

LOTS more scale

Direct Connect

Location

Service Provider Links