* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Cloud Computing](https://www2.paloaltonetworks.com/blog/category/cloud-computing-2/)
* How Palo Alto Networks Sc...

# How Palo Alto Networks Scales Next-Gen Security on AWS

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fpalo-alto-networks-scales-next-gen-security-aws%2F)  
[](https://twitter.com/share?text=How+Palo+Alto+Networks+Scales+Next-Gen+Security+on+AWS&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fpalo-alto-networks-scales-next-gen-security-aws%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F02%2Fpalo-alto-networks-scales-next-gen-security-aws%2F&title=How+Palo+Alto+Networks+Scales+Next-Gen+Security+on+AWS&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2018/02/palo-alto-networks-scales-next-gen-security-aws/&ts=markdown)  
\[\](mailto:?subject=How Palo Alto Networks Scales Next-Gen Security on AWS)  
Link copied  
By [Matt Keil](https://www.paloaltonetworks.com/blog/author/matt/?ts=markdown "Posts by Matt Keil")  
Feb 14, 2018  
4 minutes  
[Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[VM-Series](https://www.paloaltonetworks.com/blog/tag/vm-series/?ts=markdown)

*One of three articles in a series about security for the three major public cloud environments: AWS, Azure and Google.*

In the public cloud, scalability challenges manifest themselves in two ways. The first is being able to accommodate dynamic traffic patterns, such as the spike following a new product launch or a holiday sales special. In these scenarios, both your workloads and your security solution need to scale seamlessly, yet independently. The second scalability challenge is being able to protect Amazon Web Services deployments with many, many VPCs or accounts while ensuring secure connectivity to corporate or web resources, or other VPCs, without incurring added cost and complexity.

To solve both of these scalability challenges, we have built a set of templates and scripts that utilize a range of AWS services and VM-Series features to automate secure, scalable deployments on AWS.

Auto Scaling the VM-Series on AWS 2.0

Utilizing native AWS services (e.g., Elastic Load Balancers, Lambda, CloudWatch) and VM-Series features (e.g., bootstrapping, XML API), our customers can deploy a fully integrated next-generation firewall solution that can scale dynamically with traffic patterns.

The solution deploys an AWS Application Load Balancer and an AWS Network Load Balancer as external and internal traffic distribution mechanisms, respectively, creating a "load balancer sandwich" that enables the VM-Series to scale dynamically, resulting in two significant operational benefits.

First, the on-demand nature of Auto Scaling for the VM-Series results in a more efficient use of security resources and lower associated costs. The second benefit is reduced administrative effort -- all VM-Series firewalls use the same predefined bootstrap configuration and can be centrally managed with complete visibility via Panorama network security management. Auto Scaling the VM-Series on AWS 2.0 uses a hub-and-spoke architecture to simplify deployment and can support either a single, large VPC or many smaller VPCs. Scaling decisions are made based on VM-Series metrics fed directly to AWS CloudWatch, eliminating a Lambda function. To help simplify customization solution, the AWS CloudFormation Template has been re-designed.

* Watch the new "Auto Scaling the VM-Series on AWS" Lightboard

* Check out the [Auto Scaling templates and scripts](https://live.paloaltonetworks.com/t5/Public-Cloud-Integration/ct-p/Cloud_Templates)

* Read the [Auto Scaling the VM-Series on AWS Tech Brief](https://www.paloaltonetworks.com/resources/datasheets/vm-series-on-aws-auto-scaling)

Transit VPC With the VM-Series on AWS

Here we leverage a combination of AWS services (e.g., AWS CloudFormation Templates, Virtual Private Gateway, Lambda, and CloudTrail) and VM-Series automation features (e.g., bootstrapping, XML API) to create a centralized, hub-and-spoke security and connectivity architecture.

When fully deployed, VM-Series firewalls are deployed in the hub, performing secure connectivity and threat prevention functions for the subscribing VPCs, or "spokes." Connectivity between VPC spokes to corporate locations or web resources will connect to and "transit" the hub VPC via an IPsec VPN and BGP while sharing VM-Series next-generation security services. Additional pairs of VM-Series firewalls are deployed automatically based on the defined ratio of VPC spokes per VM-Series firewall pair, either within an individual account or across multiple accounts. Using Panorama, security teams can deploy a range of security policies to protect your AWS deployment from threats. The Transit VPC with the VM-Series is a cost-effective, easy-to-manage alternative to backhauling traffic to a corporate firewall or deploying a VM-Series per VPC.

The Transit VPC with the VM-Series helps you reduce the cost of security while lowering administrative efforts by centralizing security in a shared services architecture that can support the varied application development group requirements. In some deployment scenarios, the Hub VPC may host additional services such as DNS and logging along with security and IPsec VPN connectivity.

* Watch the new Transit VPC with the VM-Series on AWS Lightboard
* Check out the [Transit VPC templates and scripts](https://live.paloaltonetworks.com/t5/Public-Cloud-Integration/ct-p/Cloud_Templates)
* Read the [Transit VPC With the VM-Series Tech Brief](https://www.paloaltonetworks.com/resources/datasheets/transit-vpc-with-vm-series)

These two solutions exemplify how next-generation security can be fully automated, enabling security teams to establish a strong security posture while allowing the users to operate at the speed of the cloud.

Check them out now on our [Public Cloud integration resource page](https://live.paloaltonetworks.com/t5/Public-Cloud-Integration/ct-p/Cloud_Templates).

*** ** * ** ***

## Related Blogs

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Securing Large Scale AWS Deployments with a Transit VPC](https://www2.paloaltonetworks.com/blog/2018/04/securing-large-scale-aws-deployments-transit-vpc/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cloud NGFW is Essential for AWS \& Azure Cloud Traffic Protection](https://www2.paloaltonetworks.com/blog/network-security/cloud-ngfw-is-essential-for-aws-azure-cloud-traffic-protection/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### See the Unseen in AWS Mirrored Traffic With VM-Series](https://www2.paloaltonetworks.com/blog/2021/03/aws-vpc-traffic-mirroring/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### A Shared Commitment Towards Cloud Security: Expanding Our Partnership with Google Cloud](https://www2.paloaltonetworks.com/blog/2018/12/shared-commitment-towards-cloud-security-expanding-partnership-google-cloud/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Microsoft Ignite: Showcasing Our Cloud Offerings and the Depth of Our Microsoft Partnership](https://www2.paloaltonetworks.com/blog/2018/09/microsoft-ignite-showcasing-cloud-offerings-depth-microsoft-partnership/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Events](https://www.paloaltonetworks.com/blog/category/events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Visit Us at VMworld 2018 USA](https://www2.paloaltonetworks.com/blog/2018/08/visit-us-vmworld-2018-usa/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language