Embed Size (px)
Citation preview
Ed Caswell
Consulting Engineer
Palo Alto Networks
Securing the Public Cloud
AWS Deployment Scenarios
in
ELB Interoperability
4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Region 1
Web farm Web farm
Internal
ELB
AZ1 AZ2
External ELB
CloudFormation Template: Automates full
use case deployments
S3: AWS service where bootstrapping files
are stored
CloudWatch: Consumes metrics and makes
intelligent scale in/out decisions
Lambda: Code as a service pushes custom
metrics to CloudWatch via XML API
Auto Scale Groups (ASG): The firewalls are
members of an ASG that scales in/out based
on custom metrics
PAN-OS Bootstrapping: Automates
creation of fully configured firewall
PAN-OS API: enables delivery of custom
metric to CloudWacth
Panorama: Optional but highly
recommended to simplify VM-Series
management
Native AWS and PAN-OS/VM-Series Services Used
5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
AWS Services PAN-OS/VM-Series Services
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
1CFT deploys
base topology
ASG1
2 Initial firewalls are bootstrapped from S3
ASG2
Bootstrapping addsVM-Series firewalls toPanorama
Auto Scaling the VM-Series on AWS
6 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
3Standard metrics
sent to CloudWatch
4Alarm triggers ASG scale out
ASG2
Auto Scaling the VM-Series on AWS
7 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
External ELB
AZ2
Internal ELB
Web ASG
ASG1
5 l function collectsPAN-OS metrics via API
Custom metrics sent to CloudWatch
6
7
Alarm triggers FW ASG scale events
ASG2
Bootstrappingcontinues to add FWs to Panorama
l Functionremoves FWsfrom Panorama
Auto Scaling the VM-Series on AWS
8 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1
AZ1
IELB VIP 1 IELB VIP 2
AZ2
Web ASG
ASG1 ASG2
8l function monitorsfor ELB VIP changes IELB VIP 3
9l function deploys new
ASG with NAT rule for new VIP
ASG3
IELB VIP 4
ASG4
External ELB
Internal ELB
Auto Scaling the VM-Series on AWS
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
InterVPC
Securing one VPC
IPSec VPN
DC-FW1
DC-FW2
AZ1
bWeb1-01
Web1-02
AZ1
c
Securing one VPC
AZ1
b
IPSec VPN
DC-FW1
DC-FW2
Web1-01
Web1-02
Web2-01
Web2-02
IPSec VPNs
Securing lots of VPCs
DC-FW1
DC-FW2
Marketing App
HR App
QA Environment
Dev Environment
Region
Services VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
Region
Subscribing VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
Region
Services VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
DC-FW1
DC-FW2
Services VPC + Hybrid + Internet Gateway
DC-FW1
DC-FW2
Routing
Default route learned via DHCP from IGW on E1/1
Static route defined for enterprise network
Redistribution profile shares static routes with BGP peers
BGP routes propagated into local route table
SNAT on gateway firewall ensure symmetric return
DC-FW1
DC-FW2
More scale
DC-FW1
DC-FW2
LOTS more scale
Direct Connect
Location
Service Provider Links
