© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Warby Warburton
Technical Marketing Engineering Manager
Palo Alto Networks
July 13, 2016
Next-Generation Firewall Services
VPC Integration
About Palo Alto Networks
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer
shipment in 2007
• Safely enabling applications and
preventing cyber threats
• Able to address all enterprise
cybersecurity needs
• Exceptional ability to support global
customers
• Experienced team of 3,500+ employees
• Q3 FY16: $345.8M revenue
$MM
REVENUES ENTERPRISE CUSTOMERS
$13 $49
$119
$255
$396
$598
$928
$0
$200
$400
$600
$800
$1,000
FY09 FY10 FY11 FY12 FY13 FY14 FY15
4,700
9,000
13,500
19,000
26,000
0
4,000
8,000
12,000
16,000
20,000
24,000
Jul-11 Jul-12 Jul-13 Jul-14 Jul-15
Securing one VPC
IPSec VPN
DC-FW1
DC-FW2
AZ1
bWeb1-01
Web1-02
AZ1
c
Securing one VPC
AZ1
b
IPSec VPN
DC-FW1
DC-FW2
Web1-01
Web1-02
Web2-01
Web2-02
IPSec VPNs
Securing lots of VPCs
DC-FW1
DC-FW2
Marketing App
HR App
QA Environment
Dev Environment
Central security enforcement
• Amazon Virtual Private Cloud VPCs can be created quickly for
project specific infrastructures
• Many departments have one or more VPCs dedicated to their needs
• But granting access to/from a corporate network creates a security
challenge
• It is more difficult to create a centrally managed policy for securing
disparate VPCs
• The services VPC architecture creates a single point of policy
enforcement and management
Bandwidth optimization
• Another advantage to the services VPC architecture is the optimization of bandwidth
• Many VPCs will have a hybrid cloud connection to the private data center
• This connection can be used not only for accessing and managing the application but also for server-initiated sessions like updating software
• Many hybrid designs require server software update traffic to first traverse the corporate network connection and then cross the Internet to Microsoft/Linux update servers
• This creates additional load on the connection back to corporate
• A better solution is to securely allow the servers to leverage the Internet connection that is already present in each AWS Region
Region
Services VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
Region
Subscribing VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
Region
Services VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
DC-FW1
DC-FW2
Services VPC + Hybrid + Internet Gateway
DC-FW1
DC-FW2
Routing
Default route learned via DHCP on E1/1
Static route defined for enterprise network
Redistribution profile shares static routes with BGP peers
BGP routes propagated into local route table
SNAT on gateway firewall ensures symmetric return
DC-FW1
DC-FW2
More scale
Options for even more scale
• Dealing with potential virtual private gateway subnet collisions for
larger scale deployments
• Lots of VPCs in a single region
• There are several options for dealing with this:• Terminate the duplicate IPsec tunnels on virtual routers in front of the VM-Series
• Without VRF support, could use multiple virtual routers
• Or continue to terminate on the firewalls and use new VM-Series pair
• Or use physical firewalls in an AWS Direct Connect location
DC-FW1
DC-FW2
LOTS more scale
Direct Connect
Location
Service Provider Links
Scale
Cost
Open source
routers with
VRF support
Commercial
routers with VRF
support
Multiple
firewall pairs
Physical firewalls in
direct connection rack
Multiple open
source routers
Learn More at
Booth 201
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you