: Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
Focus
Focus

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Table of Contents
End-of-Life (EoL)

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

The items in this checklist are actions and choices you must make to implement this solution.
Planning Checklist for Templates v2.0 and v2.1
  • Verify the requirements for deploying the VM-Series Auto Scaling template.
The auto scaling template requires AWS Lambda and S3 Signature versions 2 or 4, and can deploy VM-Series firewalls running supported PAN-OS versions. You need to look up the list of supported regions and the AMI IDs, to provide as an input in the firewall template.
  • Assign the appropriate permissions for the IAM user role.
The user who deploys the VM-Series Auto Scaling template must either have administrative privileges or have the permissions listed in the iam-policy.json to launch this solution successfully. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
For a cross-account deployment, to access resources that are in a different AWS accounts, the IAM role for the user who deploys the application template must have full SQS access permissions and a trust relationship that authorizes her to write to the SQS queue that belongs to the firewall template.
  • Collect the details required for a cross-account deployment.
For a deployment where the firewall template and the application template are in different accounts, the account that hosts the firewall template resources is the trusting account and the other AWS account(s) that hold the application template resources are the trusted accounts. To launch the application template in a cross-account deployment, you need the following information:
  • Cross-account Role Amazon Resource Name (ARN) of the account in which you are deploying the application template.
  • External ID, which you defined when creating the IAM role that grants full SQS access to the trusting account.
  • The 10-digit account number for every AWS account in which you plan to launch the application template. Because the account that hosts the firewall template resources serves as a trusting account, and it owns the resources that the users of the application template need, you need to list the account number for each trusted account that can access the firewall resources.
You can opt for the BYOL or PAYG licenses.
  • (For PAYG only) Review and accept the End User License Agreement (EULA).
    Required, if you are launching a VM-Series firewall in an AWS account for the first time.
In the AWS Marketplace, search for Palo Alto Networks, and select the bundle you plan to use. The VM-Series firewalls will fail to deploy if you have not accepted the EULA for the bundle you plan to use.
  • Search for VM-Series Next Generation Firewall Bundle 2, for example.
  • Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA.
You can now close the browser.
  • Decide whether you plan to use the public S3 buckets or your private S3 bucket for AWS Lambda, Python scripts, and templates.
Palo Alto Networks provides public S3 buckets in all AWS regions included in the supported regions list. These S3 buckets include all the templates, AWS Lambda code, and the bootstrap files that you need.
Palo Alto Networks recommends using the bootstrap files in the public S3 bucket only for evaluating this solution. For a production deployment, you must create a private S3 bucket for the bootstrap package.
The naming convention for the S3 bucket is panw-aws-autoscale-v20-<region_name>. For example, the bucket in the AWS Oregon region is panw-aws-autoscale-v20-us-west-2.
To use your private S3 bucket, you must download and copy the templates, AWS Lambda code, and the bootstrap files to your private S3 bucket. You can place all the required files for both the firewall template and the application template in one S3 bucket or place them in separate S3 buckets.
  • Download the templates, AWS Lambda code, and the bootstrap files.
  • Get the files for deploying the firewall template (application load balancer and the VM-Series firewalls) from the GitHub repository.
    Do not mix and match files across VM-Series Auto Scaling template versions.
    • Templates and Lambda code:
      • panw-aws.zip
      • firewall-v2.X.template
    • Bootstrap files:
      • init-cfg.txt
      • bootstrap.xml
        The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch.
    • iam-policy: The user who deploys the VM-Series Auto Scaling template must have either the administrative privileges or the permissions listed in this file to successfully launch this solution.
    The firewall template is supported by Palo Alto Networks Technical Support.
  • Get the files for deploying the NLB and the web servers from the GitHub repository versions 2.0 or 2.1.
    • Templates:
      • pan_aws_nlb-2.X.template—Use this template to deploy the application template resources within same VPC as the one in which you deployed the firewall template (same AWS account).
      • pan_aws_nlb_vpc-2.X.template—Use this template to deploy the application template resources in a different VPC. This template allows you to deploy the resources within the same AWS account or in a different AWS account as long as you have the appropriate permissions to support a cross-account deployment.
      • pan_nlb_lambda.template—Creates an AWS Network Load balancer, which multiplexes traffic to register scaled-out backend web servers.
    • Lambda code and Python scripts.
  • Customize the bootstrap.xml file for your production environment.
To ensure that your production environment is secure, you must customize the bootstrap.xml file with a unique administrative username and password for production deployments. The default username and password are pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
  • Decide whether you want to use Panorama for centralized logging, reporting, and firewall management.
Panorama is an option for administrative ease and is the best practice for managing the firewalls. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution.
If you want to use Panorama, you can either a Panorama virtual appliance on AWS or use an M-Series appliance or a Panorama virtual appliance inside your corporate network.
The Panorama must be in Panorama mode and not Management Only mode.
To successfully register the firewalls with Panorama, you must collect the following details:
  • API key for Panorama—So that AWS Lambda can make API requests to Panorama, you must provide an API key when you launch the VM-Series Auto Scaling template. As a best practice, in a production deployment, create a separate administrative account just for the API call and generate an associated API key.
  • Panorama IP address—You must include the IP address in the configuration (init-cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel.
  • VM auth key—Allows Panorama to authenticate the firewalls so that it can add each firewall as a managed device. You must include this key in the configuration (init-cfg.txt) file.
    The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM-Series firewall will be unable to register with Panorama. For details on the key, see Generate the VM Auth Key on Panorama.
  • Template stack name and the device group name to which to assign the firewalls—You must first add a template and assign it to a template stack, create a device group on Panorama, and then include the template stack name and the device group name in the configuration (init-cfg.txt) file.
In order to reduce the cost and scale limits of using Elastic IP addresses, the firewalls do not have public IPs. If you are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) that attaches to the Untrust subnet within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. By default, this solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch.
Get started