- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
This blog written by Nidhi Pandey and Vijay Arumugam Kannan.
We are excited to announce that Palo Alto Networks Managed Cloud NGFW and customer managed VM-Series firewall now integrates with AWS Cloud WAN
First, some context: Over the years, Palo Alto Networks customers have used VM-Series Next-Generation Virtual Firewalls (aka virtual form-factor of firewalls) to protect their VPC traffic. These virtual firewalls provide best-in-class security with Layer 7 application controls, real-time signatures and URL categories updates, and ML-powered threat prevention. Customers enjoyed the convenience of using Palo Alto Networks VM-series software on AWS Cloud by purchasing licenses and deploying the firewalls from the AWS Marketplace. Customers decide what instance types are best suited for their environment and how best to manage upgrades, scale-out, and failover.
These customers have always asked us whether we can make our best-in-class security as easy to consume as other AWS-native services. They were looking for a cloud-native experience for network security and wanted to avoid managing the security infrastructure and integrating it deeply with the AWS ecosystem. We listened and launched Cloud NGFW for AWS back in March 2022. Cloud NGFW for AWS is a Next-Generation Firewall resource (aka cloud-native form factor) on the AWS platform managed by Palo Alto Networks. Cloud NGFW resources come with built-in scalability, resilience and life-cycle management. They also offer zero-maintenance by transferring the operational responsibility from customers to Palo Alto Networks. Cloud NGFW natively integrates with your AWS workflows and streamlines policy management and security operations with Panorama, Cortex Data Lake, and more. These firewalls can now protect your AWS Cloud WAN traffic using the centralized deployment architectures
AWS Cloud WAN is a managed wide-area networking (WAN) service from AWS, that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments. It provides a central dashboard from which you can connect on-premises branch offices, data centers, and Amazon Virtual Private Clouds (VPCs) across regions in the AWS global network via varied connectivity mechanisms and share routes.
Traditionally customers like you would have to peer transit gateway with each other, to connect VPCs in different regions and support inter-region traffic flow. This peering and connectivity mechanism tends to become complex as you add more regions. With AWS Cloud WAN, you now have a global centralized service to provide the peering and connectivity. It also simplifies the routing.
You can map these VPCs to segments in the core network. These segments are connected using attachments like VPC attachment or Transit gateway route table attachments. The built-in segmentation helps you to maintain network isolation across AWS and on-prem environments. Each segment creates a dedicated routing domain. You can create multiple network segments within your global network. Cloud WAN restricted AWS resources to communicate within the segment.
.
In nutshell, Cloud WAN is the interconnection of your VPCs and on-prem networks. Lets now dive deep on how to secure traffic interconnected with cloud WAN using Palo Alto Networks Firewalls. In this blog, we use Cloud NGFW in the examples that follow. Similar deployment architectures hold good with VM-Series deployed behind Gateway Load Balancer (GWLB) and GWLB endpoints.
Though Cloud WAN is a global construct, we recommend deploying Cloud NGFW in every AWS region it spans, to maintain security posture with low latency, and optimized costs. You can deploy Cloud NGFW in a centralized security VPC in every region. The security VPC can be directly connected to the cloud WAN security segment via attachment. The routing associated with the attachments and segments define how the traffic gets routed towards the Cloud NGFW resource for threat prevention. You can redirect traffic arriving from cloud attachments to security VPC, before forwarding to the destination.
Cloud NGFW deployed within a region can now protect and secure:
Consider the deployment architecture in the figure below where an on-prem environment connected with cloud WAN service over the hybrid segment. The two regions are also peered using VPC attachment with Cloud WAN in their respective segments.
In this deployment architecture the security VPC in region 1 hosts the Cloud NGFW. The VPCs in two regions are paired with Cloud WAN in different segments. Let us consider two traffic flow examples:
1) Traffic is originating from on-prem towards the workload hosted in prod segment in region1:
2) Traffic is originating from the prod segment in region-2 to the prod segment in region-1:
Please refer here to learn more about securing Cloud WAN traffic between Amazon VPC with next-generation firewalls such as Cloud NGFW and VM-Series and understanding the details on how to build for both single-Region and multi-Region networks, and how to configure the route tables for each.
In the deployment architecture below, we have the VPCs in the region connected to the Cloud WAN segment via attachments. Any outbound traffic towards the internet is inspected by the cloud NGFW within the security segment before being forwarded towards the destination on the internet.
Please refer here to learn more about the centralized security aspects in Cloud WAN and securing egress traffic to the internet.
What’s more, by integrating Cloud NGFW with Cloud WAN, you can now protect your global networks’ traffic with these significant operational benefits:
This feature is now available in all VM-Series and Cloud NGFW supported AWS regions to help you realize these benefits in your AWS environment. You can also look at this brief demo video. To learn more, sign up for a 30-day free trial and visit the documentation and FAQ pages. As always, your feedback drives our feature roadmap and product development. Please contact us through your Palo Alto Networks support team if you have additional feedback or Cloud NGFW feature requests.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
4 Likes | |
3 Likes | |
3 Likes | |
2 Likes |
User | Likes Count |
---|---|
12 | |
4 | |
4 | |
3 | |
2 |