VM-Series for AWS Auto Scaling

Scaling security with AWS workloads

 This week, we delivered a set of scripts and templates to solve the challenge of scaling security in conjunction with workloads in AWS. The new feature set for the VM-Series on AWS natively integrates with AWS Auto Scaling and Elastic Load Balancing (ELB), allowing the VM-Series to scale dynamically yet independently of your fluctuating AWS workloads. Auto Scaling the VM-Series on AWS leverages two load balancers, effectively creating a load balancer sandwich that enables your VM-Series firewalls to scale independently of your AWS workloads based on metrics.

Dynamic scaling of VM-Series on AWS

Using native AWS services and standard VM-Series (PAN-OS) automation features, you can now scale the VM-Series on AWS dynamically, as your protected workload demands fluctuate. Here’s a bit more detail on the solution components and how they are used. 

• AWS CloudFormation Template is used to deploy the entire solution from an AWS CloudFormation template. This creates a simple-to-deploy, all-inclusive Auto Scaling the VM-Series on AWS solution.
• AWS Lambda is used for several predefined services including: add network interfaces (ENIs) on newly deployed VM-Series instances, monitor VM-Series traffic metrics, and communicate with Amazon CloudWatch (via SNS).
• AWS S3 is used to store the VM-Series bootstrap configuration and the Lambda scripts. S3 storage can also be used to store other types of files, such as other AWS CloudFormation Templates, used for additional automation.
• Amazon CloudWatch monitors the AWS workloads, collecting relevant statistics that can be used in conjunction with the VM-Series metrics to initiate the deployment or removal of a VM-Series firewall.
• Bootstrapping (VM-Series/PAN-OS) allows you to create a fully configured VM-Series firewall instance. Each bootstrapped firewall can include firewall configuration, security policies, content updates and inclusion in a Panorama™ network security management device group.
• PAN-OS^® (VM-Series/PAN-OS) API pulls user-defined metrics from the VM-Series firewall and uses Lambda to send them to CloudWatch.
• Panorama can optionally be used to centrally manage the entire solution.

How it works

The AWS CloudFormation Template deploys an initial VM-Series firewall Auto Scaling Group using a bootstrapped image stored in AWS S3. PAN-OS bootstrapping can also automatically attach the VM-Series firewall to Panorama if it has been deployed.

As traffic hitting your web server (or workload) increases, CloudWatch monitors the traffic, initiating alarms based on user-defined metrics and ultimately the addition of a new web server. As the web server traffic increases, so too does the VM-Series traffic, which is where Lambda comes in to play. Lambda collects VM-Series metrics via the XML API and feeds them to CloudWatch as custom metrics, triggering a VM-Series scale-out event using the bootstraped VM-Series firewall image. As traffic to the web server winds down, a scale-in event is triggered based on defined CloudWatch metrics and the VM-Series is removed.

Production-ready scripts and templates

The Auto Scaling the VM-Series on AWS feature set is production ready, meaning if you use the scripts and templates as they are designed, and if you run into a challenge, you can contact the support team for assistance. To learn more about the innovative way in which we solved the scaling challenge, watch the Auto Scaling the VM-Series on AWS Lightboard and demo here.

If you’re already using the VM-Series and want to try it out, you can find all the necessary resources here. Note that Auto Scaling the VM-Series on AWS uses AWS Marketplace Bundle 1 or Bundle 2, in either an annual or an hourly subscription.