Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Autoscaling in AWS version 3 (Gateway load balancer integration) - Decouple the Lambda scripts for autoscaling when not using the template

L1 Bithead

Hi everyone,

 

We are looking to deploy the virtual firewalls in AWS in an autoscaling group and plan to build the AWS infrastructure (GLB, subnets, routing tables etc using terraform).

 

The lambda scripts with the Cloud formation template are extensive (3500 lines of code) to monitor for firewalls being added/removed as part of a scaling event and update Panorama etc.

 

Is the only way to deploy to use the Cloud formation template or can we decouple the lambda/python scripts (init.py, sched1.py and sched2.py) and plumb it in to our environment that's been built with terraform? 

 

It looks like a lot of work to build the scripts from scratch as they do a lot of work. Has anyone solved this issue or done something similar? 

 

Would really appreciate any advice anyone may have.

 

Thanks in advance!

6 REPLIES 6

L2 Linker

We have an update coming to the ASG scripting in the next week or two that greatly simplifies the scripting.  Now with that said, there are few functions performed by the scripts, and here are some ways around them.

 

1. AWS had a limitation with Launch Templates that limited the instance to one interface.  A large portion of the code adds the second interface after boot.  That limitation no longer exists but you a forced to run mgmt and data plane in the same subnet.  If you properly configure your security groups, this is not a risk as you just need 0/0 pointing to a NatGw and RFC 1918 pointing at the TGW in that subnet.

2. The scripting also handles delicensing and removal from Panorama.  We have a licensing plugin that can handle those tasks for you.  https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...

 

 

That is really helpful, thanks for such a quick reply. Much appreciated 

L2 Linker

Circling back to this.  I recently posted the simplified autoscaling template that I mentioned.  

https://github.com/PaloAltoNetworks/AWS-GWLB-VMSeries/tree/main/cft_simplifiedASG_with_warm_pools

 

Tony, I am working on a similar project. I am curious why not use the vm-series plugin (instead of terraform) to deploy the security dmz?

We can use terraform for the supporting infrastructure but it’s the ASG that’s the challenge and all the associated lambda scripts. Needs to plumb in to the cloud formation infrastructure to work properly 

This is brilliant, thank you. Really helpful. We are trying version 3.0 first which all seems to work but never registers as a managed firewall in panorama. Will do some more digging. Thanks for your help. Keep up the good work!

  • 7349 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!