© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Warby Warburton

Technical Marketing Engineering Manager

Palo Alto Networks

July 13, 2016

Next-Generation Firewall Services

VPC Integration

About Palo Alto Networks

CORPORATE HIGHLIGHTS

• Founded in 2005; first customer

shipment in 2007

• Safely enabling applications and

preventing cyber threats

• Able to address all enterprise

cybersecurity needs

• Exceptional ability to support global

customers

• Experienced team of 3,500+ employees

• Q3 FY16: $345.8M revenue

$MM

REVENUES ENTERPRISE CUSTOMERS

$13 $49

$119

$255

$396

$598

$928

$0

$200

$400

$600

$800

$1,000

FY09 FY10 FY11 FY12 FY13 FY14 FY15

4,700

9,000

13,500

19,000

26,000

0

4,000

8,000

12,000

16,000

20,000

24,000

Jul-11 Jul-12 Jul-13 Jul-14 Jul-15

Securing one VPC

IPSec VPN

DC-FW1

DC-FW2

AZ1

bWeb1-01

Web1-02

AZ1

c

Securing one VPC

AZ1

b

IPSec VPN

DC-FW1

DC-FW2

Web1-01

Web1-02

Web2-01

Web2-02

IPSec VPNs

Securing lots of VPCs

DC-FW1

DC-FW2

Marketing App

HR App

QA Environment

Dev Environment

Central security enforcement

• Amazon Virtual Private Cloud VPCs can be created quickly for

project specific infrastructures

• Many departments have one or more VPCs dedicated to their needs

• But granting access to/from a corporate network creates a security

challenge

• It is more difficult to create a centrally managed policy for securing

disparate VPCs

• The services VPC architecture creates a single point of policy

enforcement and management

Bandwidth optimization

• Another advantage to the services VPC architecture is the optimization of bandwidth

• Many VPCs will have a hybrid cloud connection to the private data center

• This connection can be used not only for accessing and managing the application but also for server-initiated sessions like updating software

• Many hybrid designs require server software update traffic to first traverse the corporate network connection and then cross the Internet to Microsoft/Linux update servers

• This creates additional load on the connection back to corporate

• A better solution is to securely allow the servers to leverage the Internet connection that is already present in each AWS Region

Region

Services VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

Region

Subscribing VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

Region

Services VPC

Subnet 1

Availability Zone 2

Availability Zone 1

Subnet 2

DC-FW1

DC-FW2

Services VPC + Hybrid + Internet Gateway

DC-FW1

DC-FW2

Routing

Default route learned via DHCP on E1/1

Static route defined for enterprise network

Redistribution profile shares static routes with BGP peers

BGP routes propagated into local route table

SNAT on gateway firewall ensures symmetric return

DC-FW1

DC-FW2

More scale

Options for even more scale

• Dealing with potential virtual private gateway subnet collisions for

larger scale deployments

• Lots of VPCs in a single region

• There are several options for dealing with this:• Terminate the duplicate IPsec tunnels on virtual routers in front of the VM-Series

• Without VRF support, could use multiple virtual routers

• Or continue to terminate on the firewalls and use new VM-Series pair

• Or use physical firewalls in an AWS Direct Connect location

DC-FW1

DC-FW2

LOTS more scale

Direct Connect

Location

Service Provider Links

Scale

Cost

Open source

routers with

VRF support

Commercial

routers with VRF

support

Multiple

firewall pairs

Physical firewalls in

direct connection rack

Multiple open

source routers

Learn More at

Booth 201

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Thank you