: Deployments Supported on AWS
Focus
Focus

Deployments Supported on AWS

Table of Contents

Deployments Supported on AWS

The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud (VPC). Because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces.
  • Deploy the VM-Series firewall to secure the EC2 instances hosted in the AWS Virtual Private Cloud.
    If you host your applications in the AWS cloud, deploy the VM-Series firewall to protect and safely enable applications for users who access these applications over the internet. For example, the following diagram shows the VM-Series firewall deployed in the Edge subnet to which the internet gateway is attached. The application(s) are deployed in the private subnet, which does not have direct access to the internet.
    When users need to access the applications in the private subnet, the firewall receives the request and directs it to the appropriate application, after verifying security policy and performing Destination NAT. On the return path, the firewall receives the traffic, applies security policy and uses Source NAT to deliver the content to the user. See Use Case: Secure the EC2 Instances in the AWS Cloud.
VM-Series for EC2 Instances
  • Deploy the VM-Series firewall for VPN access between the corporate network and the EC2 instances within the AWS Virtual Private Cloud.
    To connect your corporate network with the applications deployed in the AWS Cloud, you can configure the firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel allows users on your network to securely access the applications in the cloud.
    For centralized management, consistent enforcement of policy across your entire network, and for centralized logging and reporting, you can also deploy Panorama in your corporate network. If you need to set up VPN access to multiple VPCs, using Panorama allows you to group the firewalls by region and administer them with ease.
VM-Series for VPN Access
  • Deploy the VM-Series firewall as a GlobalProtect gateway to secure access for remote users using laptops. The GlobalProtect agent on the laptop connects to the gateway, and based on the request, the gateway either sets up a VPN connection to the corporate network or routes the request to the internet. To enforce security compliance for users on mobile devices (using the GlobalProtect App), the GlobalProtect gateway is used in conjunction with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security Manager ensures that mobile devices are managed and configured with the device settings and account information for use with corporate applications and networks.
    In each of the use cases above, you can deploy the VM-Series firewall in an active/passive high availability (HA) pair. For information on setting up the VM-Series firewall in HA, see Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC.
  • Deploy the VM-Series firewall with the Amazon Elastic Load Balancing (ELB) service, whereby the firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM-Series firewall is behind the Amazon ELB:
    • The VM-Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network.
    • The VM-Series firewall secures an internet-facing application when there is exactly one back-end server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind ELB.
VM-Series with ELB
You cannot configure the firewall to send and receive dataplane traffic on eth0 when the firewall is in front of ELB. The VM-Series firewall must be placed behind the Amazon ELB.
In addition to the links above that are covered under the Palo Alto Networks official support policy, Palo Alto Networks provides Community supported templates in the Palo Alto Networks GitHub repository that allow you to explore the solutions available to jumpstart your journey into cloud automation and scale on AWS. See AWS Transit VPC for a hub and subscribing VPC deployment that enables you to secure traffic between VPCs, between a VPC and an on-prem/hybrid cloud resource, and secure outbound traffic to the internet.