I’ve recently been working with a client on magically spinning up entire environments in AWS. This means I’ve learned a fair bit about AWS on the way!

Without going into too much detail (as it’s the clients work), we have been bootstrapping Palo Alto firewalls. This allows you to be able to stand up a fully configured Palo Alto firewall using a CloudFormation script in AWS, in a matter of minutes. That’s pretty cool.

Palo Alto are pretty helpful with this – they provide a decent sample here: https://github.com/PaloAltoNetworks/aws

From this, you can amend the scripts as appropriate to fit into your own environment – this method does rely on having a full configuration for the firewall available to bootstrap from available on an S3 bucket. If this is static, then easy. If not, you’ll have to do some magic elsewhere before calling the CloudFormation script to make sure the config you need is in the bucket.

One of the challenges we faced was that there is an interface limit (depending on which EC2 instance type you choose). This means that the example from Palo Alto does not scale too well – if you have too many subnets, it becomes impossible to put a Palo interface in every subnet. To get around this, you can add routes in the routing tables pointing to the ENI’s (Elastic Network Interfaces) of the Palo. This means you can have multiple subnets behind one interface.

Nick Shaw

Nick Shaw

I'm Nick, a knowledgeable and versatile security focussed network specialist. I have years of experience delivering complex projects for large and small organisations alike. As a full-stack engineer, I look at the end to end requirements and come up with a solution to match, rather than focussing just on one aspect. When I'm not working, I have three main interests: my family, football (Barnsley FC) and motorsports.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.