Streamlining AWS Security: VM-Series Enhancements for Deployment Flexibility, Visibility and Troubleshooting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Blogs
5 min read
L3 Networker

General Graphics (1).jpg

This blog was written by Nidhi Pandey and Chintan Udeshi

 

Introduction  

 

Based on the input from various customers, we have recently added many enhancements for the customers using VM-series on AWS. This blog post highlights recent advancements for Palo Alto Networks Software Firewalls on AWS. 

In the last couple of months, we have added following features for VM-series on AWS:

  • Deployment Flexibility 
    • Simplified Onboarding with Cloud Formation Template
  • Visibility
    • AWS Shared VPC Monitoring
  • Troubleshooting 
    • Publish ENA performance metrics to Cloudwatch


Simplified Onboarding with Cloud Formation Template 

 

The simplified onboarding flow streamlines the deployment and initial configuration of VM-Series firewalls in AWS using CFT template. It supports east-west deployment (with transit gateway), centralized egress, and distributed inbound deployment of VM-Series firewall. Customers can now deploy VM series firewalls in a centralized architecture , using the CFT template available from AWS. This  allows you to simplify the deployment of the reference architecture using just a few steps while getting the best-in-class public cloud network security solution powered by latest threat research that protects your workloads against day zero and known threats with application layer 7 visibility.


Other architectures including single arm centralized egress will be supported in the near future.

 

Benefit

  • This feature streamlines the deployment and initial configuration of VM-Series firewalls within the AWS environment.
  • Customers can set up security  in just a few steps with options for high availability or single firewall. Firewalls launch with preconfigured policies and support deployment across Availability Zones.
  • Support deployment of reference architectures using AWS CloudFormation templates in just a few steps for easy deployment
  • Integrations with Gateway Load Balancer, AWS Auto Scaling, and Transit VPC to protect traffic across many types of dynamic and large scale deployments.

To learn more, please refer to Simplified Onboarding on AWS

 

Visit our orchestration hub to learn about Infrastructure as code offerings. 


AWS Shared VPC Monitoring 



AWS Shared VPC monitoring centralizes network control in an owner account, allowing participant accounts to share subnets. This simplifies administration, enhances security via centralized policies, and reduces costs by avoiding inter-VPC data transfer charges. Enhanced monitoring with multiple credentials per VPC ID provides granular traffic tracking from participant accounts, improving security and performance.

 

We have introduced monitoring support for subnets which are shared with multiple accounts. You can now  configure multiple monitoring definitions with the same VPC-ID and with different AWS credentials. This enables you to track IPs from multiple accounts within the shared VPC enhancing the security and network management. 

 

Benefit 

 

This advancement provides multiple benefits . 

  • Security and Compliance: Centralized IP traffic visibility strengthens security, ensures compliance with policies and regulations, and contributes to a robust operational environment.
  • Improved Network Management and Optimization: Empowers administrators to monitor and analyze IP activities across accounts, optimizes network performance, and streamlines troubleshooting.
  • Streamlined Operations and Efficiency: Consolidating IP tracking reduces complexity, enhances efficiency in cloud infrastructure management, and simplifies operations.

To learn more, please refer to AWS Shared VPC Monitoring

 

Publish AWS Elastic Network Adapter (ENA) Performance Metrics to CloudWatch 

 

ENA performance metrics provide vital visibility for troubleshooting, informed instance sizing, proactive scaling, and application benchmarking to assess utilization.

 

Monitoring network performance metrics is crucial for detecting instances exceeding traffic limits, providing real-time insights into potential network impact and degradation, and supporting operational management and automated scaling.

 

Capability 

To make it easy for you to monitor performance and quickly troubleshoot the issue, wWe've enhanced our capabilities to publish ENA performance metrics to CloudWatch. These network performance metrics from ENA drivers, available for publication to AWS CloudWatch, include:

  • Bandwidth capability (inbound and outbound)
  • Packet-per-second (PPS) performance
  • Connections tracked
  • Link-local service access

npandey_0-1753987300210.png

Benefit 

 

Publishing Elastic Network Adapter (ENA) driver network performance metrics to AWS CloudWatch provides several key benefits:

  • Enhanced Visibility: Gain deeper insights into instance performance for faster troubleshooting.
  • Instance Sizing: Facilitates the selection of appropriately sized instances for various workloads.
  • Proactive Scaling: Enables proactive planning for scaling events.
  • Application Benchmarking: Allows for benchmarking applications to optimize instance performance.
  • Real-time Monitoring: Offers real-time monitoring of network traffic to identify potential performance bottlenecks.

 

To learn more, please refer to the ENA metrics Documentation

 

 

Conclusion 

 

In summary, These recent enhancements to Palo Alto Networks VM-Series firewalls on AWS significantly improve deployment Flexibility, Visibility and troubleshooting. From publishing ENA performance metrics to CloudWatch for deeper insights and proactive scaling, to simplified onboarding with CloudFormation templates for streamlined deployments, and enhanced AWS Shared VPC monitoring for granular traffic control, these features empower organizations to optimize their cloud security infrastructure. Additionally, the new Decryption Port Mirror capability offers comprehensive traffic visibility, addressing critical needs for integrating third-party security controls and analyzing all network traffic, including encrypted streams. Together, these advancements provide robust, efficient, and secure network protection for dynamic cloud environments on AWS.

 

Please visit our product page at these links:

Live community page

Software Firewall Product Page

VM Series Deployment Guide for AWS

 

  • 512 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels
Contributors