VM-Series and AWS Gateway Load Balancer Integration Overview

L3 Networker

Inserting virtual appliances in public cloud environments just got a great deal easier, thanks to Amazon Web Services (AWS) recently announcing the general availability of the integration between VM-Series virtual firewalls and the new AWS Gateway Load Balancer (GWLB). It’s an exciting development because this latest integration provides customers with massive security scaling and performance improvements while eliminating the complexities of inserting virtual appliances in public cloud environments. As many of our customers will be delighted to learn, GWLB makes it easy to deploy, scale, and manage your third-party virtual appliances on Amazon Web Services (AWS).

 

Integration resolves significant scaling and deployment challenges

When it comes to deploying VM-Series firewalls in AWS, customers typically leverage an AWS Transit Gateway deployment. Like most customers, you probably connect the spoke VPCs with application workloads to the AWS Transit Gateway- and then deploy the VM-Series firewalls in dedicated security VPCs and connect to the same AWS Transit Gateway.

But without these GWLB capabilities, customers face challenges that slow deployment and get in the way of performance and consistent security. In particular, two challenges need to be addressed to attain optimal speed, performance, and ongoing threat protection. Here are some of the tradeoffs associated with a design without Gateway Load Balancer:

Challenge # 1 - Scale and Throughput Performance

Until now, you had two connectivity options to route your outbound and east-west traffic through the VM-Series firewalls in your transit gateway environment:

  1. You could deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments (see Figure 1). 
  2. You could deploy VM-Series in active-passive HA mode using AWS Transit Gateway VPC attachments.

The first option provides a scale using equal-cost multi-path routing (ECMP) and multiple VPN attachments, but each VPN attachment offers a limited throughput of 1.25 Gbps. The second option uses VPC attachments that provide up to 50 Gbps of throughput but do not scale beyond a single active VM-Series firewall (per AWS Availability Zone).

withoutnew.png

 

 

 

 

Figure 1: current transit gateway deployment models with VM-series may force customers to make tradeoffs between visibility, scalability, and performance.

 

Challenge # 2 - Visibility and Centralized Firewall Management

A similar tradeoff exists for inbound traffic protection. Like most customers, you likely use a “sandwich” architecture that forces all your inbound application traffic to flow through an inbound security VPC. This inbound security VPC hosts an auto-scaling firewall stack for threat prevention (see Figure1). While this architecture enables you to manage firewalls and security policies centrally, it also requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, thereby obfuscating the source’s identity to your applications.

The integration of VM-Series virtual firewalls with the GWLB alleviates the above tradeoff concerns.

This new integration shown in figure 2 enables you to use native AWS networking constructs – such as VPC attachments – to scale your VM-Series firewalls dynamically to match your inbound, outbound, and east-west traffic demands. 

withnew.png

 

Figure 2. AWS Gateway Load Balancer simplifies VM-Series virtual firewall insertion at a higher scale and throughput performance for inbound, outbound, and east-west traffic protection.

 

The VM-Series firewall integration with GWLB offers the following benefits:

  • Simplified connectivity: Easily insert an auto-scaling VM-Series firewall stack in the outbound, east-west, and inbound traffic paths of your applications. VM-Series and the GWLB use the GENEVE encapsulation to keep your traffic packet headers and payload intact, providing complete visibility of the source’s identity to your applications – In other words, no more SNAT. 
  • Performance at scale: Scale your traffic across multiple VM-Series firewalls at higher throughput by using AWS native networking constructs and AWS Transit Gateway VPC attachments. You no longer need encrypted tunnels for east-west and outbound traffic inspection – In other words, no IPsec tunnel overhead.
  • Cost-Effective: Reduce the number of firewalls needed to protect your AWS environment and consolidate your overall network security posture with centralized security management.

Get the GWLB Integration Details

To learn more about the benefits of this integration, take a look at these helpful resources:

Watch the overview video  for an understanding of what you’ll gain from the integration

 

 

See the in-depth demo video  highlighting VM-Series with Gateway Load Balancer deployment using Cloud Formation Templates

 

 

And to begin realizing these benefits in your AWS environment today, you can start a trial of VM-Series on AWS from the AWS Marketplace. And don’t forget to check our Palo Alto Networks Github repository for the latest VM-Series resources, which will help you deploy this new solution - and save your organization time and effort.

3,981 Views
Comments
L0 Member

Great solution!!!

What version of PANOS will this work on?

3,627 Views
L3 Networker

Hi, 

VM-Series firewall deployment with a GWLB requires:
  • PAN-OS 10.0.2 or later
  • VM-Series plugin 2.0.2 or later
  • Panorama 10.0.2 or later if you using Panorama to manage your firewalls.

Here is a documentation link for reference.

Thanks

3,596 Views
Blog Dashboard
Register or Sign-in
Labels
Top Liked Authors