topic Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template in VM-Series in the Public Cloud

Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

TonyCleveleys — Wed, 16 Jun 2021 16:32:01 GMT

Hi everyone,

We are looking to deploy the virtual firewalls in AWS in an autoscaling group and plan to build the AWS infrastructure (GLB, subnets, routing tables etc using terraform).

The lambda scripts with the Cloud formation template are extensive (3500 lines of code) to monitor for firewalls being added/removed as part of a scaling event and update Panorama etc.

Is the only way to deploy to use the Cloud formation template or can we decouple the lambda/python scripts (init.py, sched1.py and sched2.py) and plumb it in to our environment that's been built with terraform?

It looks like a lot of work to build the scripts from scratch as they do a lot of work. Has anyone solved this issue or done something similar?

Would really appreciate any advice anyone may have.

Thanks in advance!

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

jmeurer — Thu, 17 Jun 2021 17:53:32 GMT

We have an update coming to the ASG scripting in the next week or two that greatly simplifies the scripting. Now with that said, there are few functions performed by the scripts, and here are some ways around them.

1. AWS had a limitation with Launch Templates that limited the instance to one interface. A large portion of the code adds the second interface after boot. That limitation no longer exists but you a forced to run mgmt and data plane in the same subnet. If you properly configure your security groups, this is not a risk as you just need 0/0 pointing to a NatGw and RFC 1918 pointing at the TGW in that subnet.

2. The scripting also handles delicensing and removal from Panorama. We have a licensing plugin that can handle those tasks for you. https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

TonyCleveleys — Sun, 20 Jun 2021 20:32:57 GMT

That is really helpful, thanks for such a quick reply. Much appreciated

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

jmeurer — Tue, 22 Jun 2021 17:24:11 GMT

Circling back to this. I recently posted the simplified autoscaling template that I mentioned.

https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

FranklinV — Sat, 26 Jun 2021 17:38:22 GMT

Tony, I am working on a similar project. I am curious why not use the vm-series plugin (instead of terraform) to deploy the security dmz?

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

TonyCleveleys — Wed, 30 Jun 2021 20:17:46 GMT

We can use terraform for the supporting infrastructure but it’s the ASG that’s the challenge and all the associated lambda scripts. Needs to plumb in to the cloud formation infrastructure to work properly

Re: Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

TonyCleveleys — Wed, 30 Jun 2021 20:19:21 GMT

This is brilliant, thank you. Really helpful. We are trying version 3.0 first which all seems to work but never registers as a managed firewall in panorama. Will do some more digging. Thanks for your help. Keep up the good work!