Announcing Palo Alto Networks Cloud NGFW Integration with AWS PrivateLink

Announcing Palo Alto Networks Cloud NGFW Integration with AWS PrivateLink - resource VPC endpoint

AWS and Palo Alto Networks are excited to announce the integration of Palo Alto Networks Cloud NGFW with AWS PrivateLink – resource VPC endpoint. With this integration, Cloud NGFW can securely access multiple private resources in your accounts, simplifying your operations and enhancing your security management across hybrid cloud environments.

Cloud NGFW for AWS is a cloud-native Next-Generation Firewall managed by Palo Alto Networks. It provides advanced threat protection, scalability, and seamless integration within AWS environments. Its built-in scalability, resilience, and life-cycle management offload operational responsibility from customers to Palo Alto Networks, providing a zero-maintenance experience. Moreover, Cloud NGFW offers a guaranteed SLA of 99.99% availability, ensuring your cloud applications remain secure and highly available. Cloud NGFW natively integrates with AWS workflows and streamlines policy management and security operations using Palo Alto Networks Panorama and Strata Cloud Manager.

This new capability offered in AWS PrivateLink and VPC Lattice allows private, scalable access to critical resources across AWS accounts and organizations while maintaining strict security boundaries. Before this, connecting to resources like databases and analytics clusters required either public exposure of these resources or complex configurations with workarounds, often limiting access. With the new capability, you can selectively provide access to these resources to other AWS accounts and AWS organizations to ensure streamlined network connectivity to these resources.

How does Palo Alto Networks Cloud NGFW leverage AWS PrivateLink - resource VPC endpoint?

A Cloud NGFW resource provides NGFW capabilities for your VPC traffic. Under the hood, Cloud NGFW resource is a gateway load balancer-based VPC endpoint service. To use a Cloud NGFW resource, you create a dedicated subnet in your VPC for each desired AWS availability zone. You then create NGFW endpoints (also known as Gateway Load Balancer endpoints) on your subnets and update the VPC route tables to send traffic through these endpoints.

Your hybrid cloud network generally encompasses your VPCs on AWS connected to the on-premises environment via VPN or AWS Direct connect. Until now, Cloud NGFW could not directly access private resources in your hybrid cloud environment. These include your AWS PaaS resources such as S3 buckets, on-premises DNS servers, Syslog servers, and the Palo Alto Networks User-ID agents. With this integration, customers like you can create a Resource Gateway and specify the private resources that Cloud NGFW can access. Once configured, Cloud NGFW can securely access these resources in your environment using a resource VPC endpoint (powered by AWS PrivateLink).

Figure 1: Cloud NGFW access private resources in AWS and On-premises environment.

The new capability utilizes the AWS Resource Access Manager (RAM), AWS PrivateLink, VPC Lattice and the VPC connectivity to your on-premises networks and enables Cloud NGFW to securely access essential resources in your hybrid cloud network.

Benefits of the AWS PrivateLink - Resource VPC Endpoint Integration

Cloud NGFW integration with resource VPC endpoint offers the following benefits:

• Simplified Connectivity - Cloud NGFW can access specific resources in your hybrid cloud environments with minimal effort, eliminating complex networking requirements and public exposure.
• Secure Access at Scale - Cloud NGFW access to your private resources scales automatically based on your traffic needs using AWS native constructs such as AWS PrivateLink and VPC Lattice.
• Streamlined Operations - Improves operational efficiency by enabling resource sharing with precise controls and simplifying the configuration of the sharing process through AWS-native tools like Resource Access Manager (RAM).

"AWS is committed to empowering customers with secure, scalable solutions that simplify cloud operations," Yousef Ourabi, Director of Application Networking at AWS. "Through our partnership with Palo Alto Networks, the integration of AWS PrivateLink – resource endpoints with Cloud NGFW provides customers with private, seamless access to critical resources across VPCs and accounts. This solution enhances security and reduces complexity, helping organizations innovate and grow confidently in the cloud." 

"The integration of AWS PrivateLink resource endpoints with Palo Alto Networks Cloud NGFW marks a significant step forward in simplifying cloud security operations," said Rich Campagna, SVP of Product Management at Palo Alto Networks. "This collaboration empowers our customers to enable Cloud NGFW access with seamless, secure connectivity to their resources while leveraging industry-leading threat prevention and traffic control. Together with AWS, we are committed to delivering innovative solutions that enable organizations to scale securely and focus on driving their business forward."

The integrated solution will be available next year. This collaboration underscores both organizations' commitment to providing cloud-native, customer-centric solutions that empower businesses with best-in-class security and connectivity tools that are easy to deploy and manage.

Ready to take your cloud security to the next level? Consider attending AWS ReInvent Session AIM271-S | Securing applications with AWS and Palo Alto Networks. In this event, you will hear how our customers address the challenges faced in cloud environments with Palo Alto Networks firewalls. To learn more about Cloud NGFW, visit the documentation and FAQ pages. To get hands-on experience with this, please subscribe via the AWS Marketplace page. As always, your feedback drives our feature roadmap and product development. Please contact us through your Palo Alto Networks support team if you have additional feedback or Cloud NGFW feature requests.