Protecting Kubernetes and IaaS Workloads in AWS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L5 Sessionator

Protecting Kubernetes and IaaS Workloads in AWSProtecting Kubernetes and IaaS Workloads in AWS

Protecting Kubernetes and IaaS Workloads in AWS

In addition to securing traditional IaaS workloads, Palo Alto Networks is excited to offer protection for your Elastic Kubernetes Workloads in AWS using the Palo Alto Networks Virtual firewall.


VM-Series in AWS

In AWS, customers leverage the VM-Series as an ingress security gateway for traditional IaaS workloads. In addition to the native security functionality offered by AWS, the VM-Series augments native cloud security by delivering first-class application visibility, control, and threat prevention. VM-Series support for Kubernetes further strengthens our capabilities in cloud security and will help customers accelerate their journey to the cloud with consistent and comprehensive protection across EKS workloads. 


Protecting your IaaS and Kubernetes Workloads in AWS

Load balancers in a hub-and-spoke architecture.Load balancers in a hub-and-spoke architecture.



Panorama Plugin for Amazon EKS

To provide VM-Series support for EKS Clusters in AWS, the Panorama orchestrator is leveraged. The Panorama plugin for Amazon EKS secures inbound traffic to Kubernetes clusters and provides outbound monitoring for traffic exiting the cluster. Outbound traffic can return through the VMSeries firewall, but firewall rules applied to outbound traffic must have a default allow all policy to permit Kubernetes orchestration traffic to function.
  • The minimum Panorama software version is 9.0.3.
  • You must deploy your VM-Series firewall (or firewall set) in the same VPC as your EKS cluster. You can create up to 16 clusters in the same VPC and secure them with the same firewall or firewall set.


The plugin uses the Kubernetes Python SDK to retrieve information related to services deployed in your cluster. The plugin queries for services that are labeled panw-tg-port and are assigned a valid port value. The plugin uses the port to create an inbound NAT rule on the VM-Series firewall. When traffic hits the firewall on that specified port, Panorama applies the inbound NAT rule for that port and routes the packet to its destination.


Automated Deployment

For both the AWS Auto Scale and AWS EKS architecture, the cloud formation templates automate the deployment. For the autoscaling template, Lambda configures the static information needed to automatically route traffic. For Kubernetes deployments, the Panorama plugin for EKS configures the static route in the VM-Series firewall set to route traffic to the desired destination.  NAT rules are added to perform address translation on inbound packets, ensuring that the initial traffic, as well as the return traffic, passes through the firewall. This deployment model provides a seamless cloud-centric approach to using the VM-Series to secure IaaS and EKS workloads in the cloud. 


You can download the AWS Auto Scale and EKS templates on GitHub using the following links:

We encourage you to read more about this integration by reviewing the solutions brief: 

Secure AWS Servers and Kubernetes with the VM-Series.

You may also find more information about AWS on the LIVEcommunity VM-Series on AWS resource page.
  • 325 Subscriptions
Register or Sign-in