Cloud NGFW for AWS
Cloud NGFW for AWS Resiliency and Scalability
Table of Contents
Cloud NGFW for AWS Resiliency and Scalability
Cloud NGFW for AWS is a regional service similar to other AWS zone-redundant
services. This service is delivered on the AWS platform to protect your AWS Virtual Private
Clouds (VPCs) and Cloud WAN traffic.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Cloud NGFW for AWS is a regional service similar to other AWS zone-redundant
services. This service is delivered on the AWS platform to protect your AWS Virtual
Private Clouds (VPCs) and Cloud WAN traffic.
The Cloud NGFW resource is an instantiation of the Cloud NGFW for AWS service.
This resource provides next-generation firewall capabilities without requiring the
management of the underlying infrastructure. Each NGFW resource is a Gateway Load
Balancer-based VPC endpoint service managed by Palo Alto Networks, with built-in
resiliency, zone-affinity, scalability, and life-cycle management. Under the hood, each
Cloud NGFW resource includes a dedicated set of Autoscaling Groups (ASG) of Palo Alto
Networks Security Processing VM instances. Cloud NGFW includes an ASG for each
Availability Zone (AZ) you specify. These Autoscaling groups (ASGs) are targets for the
Gateway Load Balancer (GWLB).
The Security Processing VM instances are the core components of the Palo
Alto Networks Cloud NGFW for Azure, hosting the Palo Alto Networks software that
performs the Next-Generation Firewall (NGFW) functions.
Built-in Scalability
The Cloud NGFW for AWS resource maintains uptime through its built-in elastic
scalability model, which dynamically scales with your traffic to meet unpredictable
throughput demands. The Autoscaling group provisioned for each AWS availability zone
within the Cloud NGFW resource scales out independently to include more Security
Processing VM nodes based on the traffic volume. As the traffic volume decreases
within an AWS availability zone, the corresponding Auto-scaling group scales in
independently.
Cloud NGFW uses Multi-Dimensional Scaling (MDS) to monitor multiple
performance metrics—CPU, throughput, and session utilization—to ensure optimal
performance.
Aggressive Scale-Out
The Cloud NGFW resource scales out by adding more firewall instances when
the average of any single scaling dimension reaches its defined scale-out threshold.
This aggressive approach ensures the service can quickly handle sudden increases in
traffic volume and maintain its uptime and performance.
Conservative Scale-In
The Cloud NGFW resource scales in by removing firewall instances only when
the average of each scaling dimension drops below its defined scale-in threshold.
This conservative approach prevents premature scaling during fluctuating traffic
patterns.
Scaling Dimensions and Thresholds
The Cloud NGFW resource leverages its built-in high availability and scales
with your traffic based on multiple dimensions and thresholds as stated below:
| Scaling Metric | Default Scale-Out Threshold | Default Scale-In Threshold | Description |
|---|---|---|---|
| CPU Utilization | 40% | 20% | The percentage of CPU resources currently in use by the firewall instance. |
| Session Throughput | 40% | 20% | The percentage of the instance's maximum supported throughput utilization. |
| Session Utilization | 30% | 10% | The percentage of the maximum supported session count currently active on the firewall. |
Built-in Resiliency
As discussed in the disaster recovery guide, Palo Alto
Networks has built-in resilience to recover from Security Processing VM failures and
AWS Availability zones failures. Cloud NGFW maintains its uptime based on its built-in resiliency
model.
Resiliency against failures within an AWS Availability Zone
To ensure high availability within a single AZ, the Cloud NGFW uses a
dedicated Auto-Scaling Group (ASG) for its security processing VM
instances.
- High Availability: A minimum of two Security Processing VM instances run simultaneously in the ASG.
- Fault Detection: The AWS Gateway Load Balancer uses fine-grained health checks to quickly detect faults in any backend Security Processing VM instance.
- Automatic Recovery:If a specific firewall instance comes up as unhealthy, the AWS Auto Scaling group automatically detects the failure and immediately brings up a new Security Processing VM instance to replace the failed instance. This ensures that the required capacity is always available to handle traffic without manual intervention.
Resiliency Across AWS Availability Zones
The service protects against a complete AZ failure by distributing its
security processing nodes:
- Distinct ASGs: The Cloud NGFW uses a separate ASG for each AWS Availability Zone it spans within a region.
- Limited Impact: In the rare event of a complete AZ failure, the "blast radius" is limited only to the ASG and Security Processing VM instances provisioned in that specific, failed AZ. Both the application workloads and the Cloud NGFW security processing VM instances in that AZ will be down, and Cloud NGFW will not receive any traffic in that AZ.
- Continued Operation: The Cloud NGFW resource remains intact and continues to protect traffic using the Security Processing VM instances in the other available AZs.
- Automatic Resumption: Once the failed AZ is back up, the Cloud NGFW resource automatically detects the change and immediately brings up the ASG and new Security Processing VM instances in that zone.
Resiliency Across AWS Regions
For applications deployed in an active-active manner across multiple
AWS regions, the Cloud NGFW service is deployed in each region. You would deploy
Cloud NGFW resources in each region.
- Regional Failure: In the rare event of a complete regional failure, application workloads and the Cloud NGFW resource in that region will be down, and no traffic will be received in that region.
- Cross-Region Continuity: Application workloads in other regions will continue to process traffic, and the Cloud NGFW service deployed in those regions will continue to secure that traffic, ensuring security and high availability are maintained across the overall application environment.