In this session, Warby Warburton, senior product manager at Palo Alto Networks, facilitates a discussion and demonstration of how to fully automate the creation of a Transit VPC with the VM-Series that enables application developers and spoke VPC owners to add and remove applications, as needed, without being slowed by corporate security processes or change control requirements. This session is brought to you by AWS Partner, Palo Alto Networks.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Warby Warburton
Sr. Product Manager
Palo Alto Networks
TRANSIT VPC WITH THE VM-SERIES
ON AWS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ABOUT PALO ALTO NETWORKS
• Safely enable applications and prevent
cyber threats
• Address cloud security challenges with
inline, API and server-based solutions
• 48,000 customers; 5,000+ employees
• Gartner Enterprise Firewall Magic Quadrant
Leader 5 years running

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Characteristics
• Business critical applications are rarely
“stand alone”
• Often communicate with:
• Other applications, data sources,
resources
• Within the same VPC, different
VPC/account
• In the corporate data center, or on
the web
Security Options
• Backhaul all traffic through corporate
firewall
• Costly, bandwidth intensive
• Inefficient
• Not very “cloud centric”
• Deploy a firewall in every VPC
• Can be costly
• Large scale deployments become
hard to manage
SECURING LARGE SCALE AWS DEPLOYMENTS

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TRANSIT VPC WITH THE VM-SERIES ON AWS
• Hub and spoke architecture
• Hub acts as the gateway for
entire AWS deployment
• Each spoke will “transit” the hub
to communicate with other
apps, VPCs, accounts
• Benefits:
• Centralizes resource connectivity
• Enforces consistent security
• Reduces costs and complexity

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
OVERLAY NETWORK DETAILS

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TRANSIT VPC + HYBRID + INTERNET
GATEWAY

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HIGH AVAILABILITY
Default route mapped to E1/1
Enterprise network routes learned dynamically
Redistribution profile shares routes with BGP peers
BGP routes propagated into local route table
SNAT on gateway firewall ensure symmetric return

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SCALING OUT

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MORE SCALE

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VARIATION: DEDICATED SPOKE FOR SHARED
SERVICES• Deploy a shared services
VPC as a spoke
• DNS, logging, other
commonly used services
are centralized to eliminate
redundancies
• Shared services remain
behind the Hub
VPN
WAN
AWS Direct
Connect
Transit VPC
Shared
Services

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HARDWARE BASED SOLUTION
DirectConnect
Location
Service Provider
Links

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
HARDWARE + VIRTUALIZED FIREWALL
SOLUTION

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automation
Not just automated deployment – continuous automation

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AUTO ATTACHMENT OF NEW VPCS
Region
Transit VPC
Subnet 1
Availability Zone 2
Availability Zone 1
Subnet 2
VPC tag =
“subscribing VPC”

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AUTOMATION + SCALE

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TRANSIT VPC: COST EFFECTIVLY PROTECTING APPS
AND DATA
• AWS enables you to scale your environment in an
automated manner
• The Transit VPC with the VM-Series reduces security and
connectivity management challenges associated with
scale
• Security teams can build a centralized security architecture that
becomes part of the application development fabric,
• Development teams can scale as needed knowing apps and data
are transparently protecting from threats and data exfiltration

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
RESOURCES TO ACCELERATE AWS
DEPLOYMENTS
https://live.paloaltonetworks.com/cloudtemplate

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session
survey in the summit mobile app.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.