As you deploy or terminate resources in the AWS public cloud, you can either use the Panorama plugin for AWS or use the AWS resource information sources on the firewall to consistently enforce security policy rules on these workloads. See the Compatibility Matrix for Panorama plugin version information.

The Panorama plugin for AWS is built for scale and allows you to monitor up to 1000 AWS VPCs on the AWS public cloud. With this plugin, you use Panorama as an anchor to poll your AWS accounts for tags, and then distribute the metadata (IP address-to-tag mapping) to many firewalls in a device group. Because Panorama communicates with your AWS accounts to retrieve AWS resource information, you’re able to streamline the number of API calls made to the cloud environment. When using Panorama and the AWS plugin, you can centralize the retrieval of tags and Security policy management to ensure consistent policies for hybrid and cloud-native architectures.

If you do not have Panorama or you have a simpler deployment and need to monitor 10 VPCs or fewer, you can use the VM Information Source on the firewall (hardware or VM-Series firewall) to monitor your AWS workloads. You can use the metadata, which the firewall retrieves, in Dynamic Address Groups and reference them in Security policies to secure your VM workloads as they spin up or down and IP addresses change frequently. See Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC.

As you deploy or terminate resources in the AWS public cloud, you need a way to synchronously update Security policy on your Palo Alto Networks® firewall(s) so that you can secure these EC2 instances. To enable this capability from Panorama, you must install the AWS plugin on Panorama and enable API communication between Panorama and your AWS VPCs. Panorama can then collect a predefined set of attributes (or metadata elements) as tags for your AWS resources and register the information to your Palo Alto Networks® firewall(s). When you reference these tags in Dynamic Address Groups and match against them in Security policy rules, you can consistently enforce policy across all assets deployed within your AWS accounts.