Introduction:

Cloud NGFW for AWS is a fully managed, cloud-native firewall service delivered by Palo Alto Networks and natively integrated with Amazon Web Services. It combines the power of Palo Alto Networks’ industry-leading threat prevention technologies with the simplicity and scalability of an AWS-managed service.

Built on machine learning–powered security capabilities, Cloud NGFW protects your AWS Virtual Private Clouds (VPCs) from advanced threats, exploits, malware, command-and-control activity, and risky applications—without requiring you to manage the underlying firewall infrastructure.

Key Capabilities of Cloud NGFW for AWS

• ML-Powered Threat Prevention: Leverages real-time machine learning to block zero-day attacks, malware, and command-and-control traffic.
• App-ID & User-ID: Classifies applications and users accurately for precise policy enforcement.
• URL Filtering: Blocks access to risky or malicious websites using PAN-DB, a continuously updated cloud database.
• WildFire Analysis: Provides cloud-based malware analysis and automatic signature generation.
• Fully Managed Service: Palo Alto Networks handle scaling, availability, health monitoring, and lifecycle operations.
• Native AWS Integration: Works seamlessly with VPCs, Subnet Routing, Transit Gateway, and VPC Endpoints—eliminating complex network engineering.
• Elastic & Scalable: Automatically scales to match your traffic needs.
• Centralized Management: All policies, logs, and firewall resources are configured through Strata Cloud Manager (SCM), providing a single, unified management plane.

About the Deployment Guide

This guide explains how to configure and integrate Cloud NGFW for AWS using a combined deployment model.

In a combined deployment model:

• Hub-and-spoke connectivity is used, with NGFW endpoints deployed across accounts.
• The hub, typically a transit gateway, serves as the central point of connectivity between VPCs, securing east-west and outbound traffic.
• Cross-account NGFW endpoints in the application VPCs handle inbound traffic security.

Using Cloud NGFW in this model ensures consistent, high-performance security across distributed AWS environments while reducing operational overhead.

Architecture Diagram

Prerequisites

Before you begin, you must have the following:

1. AWS Account: An AWS account with permissions to create VPCs, TGWs, EC2 instances, ALBs, and VPC Endpoints.
2. Terraform CLI: Terraform installed on your local machine or on the EC2 instance you are running this from.
3. EC2 Key Pair: An existing EC2 Key Pair in your AWS account. You must know its exact name (e.g., prod-dev-key).
4. Palo Alto Networks Strata Cloud Manager : You must have access to Strata Cloud Manager to deploy and manage the Cloud NGFW for AWS service.

Deploy the Cloud-NGFW via SCM (Try and Buy)

Before running the Terraform script, you must first deploy the firewall and create and push policies using Strata Cloud Manager.. 

Step 1:Access Cloud NGFW in SCM

1. Log in to the Strata Cloud Manager (SCM) console.
2. Navigate to Configurations → Cloud NGFWs.
3. Click Get Started to open the Cloud NGFW onboarding workflow.

Step 2: Begin the Firewall Creation Process

1. Click Create Cloud NGFW to launch the setup wizard.

Step 3: Create a Cloud NGFW Resource for AWS

1. In the Create Cloud NGFW wizard, select Amazon Web Services as your cloud provider.
2. Click Next to continue.
3. Provide the required deployment details:
• Firewall Name
• AWS Region
• Availability Zone IDs (choose one or more depending on your HA requirements)
• Allowlisted AWS Account : Enter the AWS account ID where you want to deploy the Endpoints

After completing the configuration fields, click Create and Deploy to provision the firewall.

Step 4:Explore Firewall Details

After the deployment completes, you can click Check Firewall Details to check the Status

The firewall deployment will take approximately 10 minutes. Once the status changes to Create Complete, click the Firewall ID to open the resource details.

Navigate to the Endpoint Management section and copy the VPC Endpoint Service Name. You’ll need this value when running the Terraform deployment.

Step 5: Configure a Baseline Policy

• Once deployed, the Cloud NGFW resource automatically registers as a device in Strata Cloud Manager.
• Navigate to Configuration→ NGFW and Prisma Access.
• In the Configuration Scope section, select All Firewalls.
• Go to Security Services → Security Policy.
• Click Add Rule  to create a new security policy.

• Start by creating an Allow-All rule. You can later refine and modify the rule set based on your specific use case and security requirements.

Click Save once the rule configuration is complete.

• In the top-right corner, click Push Config to send the configuration to the firewall resource.
• In the Admin Scope section, select All Admins.
• Enter a brief description for the change.
• Select the firewall resources you want to push the configuration to.

Click Push to complete the configuration deployment.

Your Cloud NGFW resource is now ready for Terraform to deploy endpoints.

Part 2: Deploy Infrastructure with Terraform

This section walks you through deploying the Cloud NGFW demo environment using Terraform. Before proceeding, ensure you have downloaded all required Terraform files (main.tf, variables.tf, terraform.tfvars, and the modules/ directory).

Step 1: Clone the Repository

Start by cloning the project repository to your local machine:

git clone https://github.com/PaloAltoNetworks/CloudNGFW-Combined-Model-Try-and-Buy.git

Step 2: Configure Your Terraform Environment

Verify that your project directory matches the expected structure:

├── main.tf
├── tgw.tf
├── providers.tf
├── variables.tf
├── README.md
├── terraform.tfvars
└── modules/
    ├── vpc-app/
    │   ├── main.tf
    │   ├── outputs.tf
    │   └── variables.tf
    └── vpc-security/
        ├── main.tf
        ├── outputs.tf
        └── variables.tf

Open terraform.tfvars and update the following values:

EC2 Key Pair Name

Replace with your existing AWS EC2 key pair:

instance_key_name = "prod-xxxx-key"

Cloud NGFW Service Name

Use the service name copied from Secure Cloud Managed (SCM) earlier:

gwlb_service_name = "com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxx"

Step 3: Deploy the Network Infrastructure

From the root of the Terraform project directory, run the commands below.

Initialize Terraform

terraform init

Review the Deployment Plan

terraform plan

Deploy the Infrastructure

terraform apply

Type yes when prompted to begin deployment.

What Terraform Will Create

Terraform will automatically provision the full demo environment, including:

• Three VPCs

  • 1 Security VPC

  • 2 Application VPCs

• AWS Transit Gateway

• Gateway Load Balancer Endpoints (Cloud NGFW)

• Application Load Balancer (ALB)

• Test EC2 instances

• Routing for both north-south and east-west traffic flows

Deployment Output

After the deployment completes, Terraform will output two ALB DNS names that you can use for testing application traffic through Cloud NGFW.

7. Testing and Validation

Test 1: Ingress Traffic (Internet → ALB → EC2)

1. Copy the app_vpc_1_alb_dns value from the Terraform output.
2. Paste this DNS name into your web browser.
3. Expected Result: You should see a "Hello from ip-10-1-x-x... in application-vpc-1" message.
4. Verification: In SCM → Log Viewer, verify you see logs for this traffic.
5. Validated Flow: Internet → IGW → GWLB Endpoint (NGFW) → ALB → EC2

Test 2: Outbound Traffic (EC2 → Internet)

1. Use AWS SSM Session Manager or a bastion host to access an EC2 instance in a private subnet of an App VPC.
2. Run a command to test internet access    "curl -v http://www.google.com"
3. Expected Result: You should receive a successful HTTP 200 OK response.
4. Verification: In SCM → Log Viewer, verify you see logs for this outbound traffic.
5. Validated Flow: EC2 Private Subnet → TGW → Security VPC → GWLB Endpoint (NGFW) → NAT Gateway → Internet

Test 3: East-West Traffic (VPC-to-VPC)

1. SSH to an EC2 instance in App VPC 1  (e.g., 10.1.x.x).
2. Ping the private IP address of an EC2 instance in App VPC 2  (e.g., 10.2.x.x). 
3. Expected Result: You should receive a successful ICMP reply.
4. Verification: In SCM → Log Viewer, verify you see logs for this VPC-to-VPC traffic.
5. Validated Flow: App VPC 1 → TGW → Security VPC → GWLB Endpoint (NGFW) → TGW → App VPC 2