PA L O A LT O N E T W O R K S : V M - S e r i e s f o r A m a z o n W e b S e r v i c e s S p e c s h e e t

VM-Series for Amazon Web Services

Key Security Features:
Palo Alto Networks VM-Series
firewalls give your organization the
flexibility to maintain next-generation
security services across your Virtual
Private Cloud (VPC) instances within
Amazon Web Services (AWS).
Identify and control applications
traversing your AWS VPC
Protect against known and unknown
threats
Centrally manage configuration,
policy and logging across all your
firewalls, on premises and in AWS,
with Panorama
Three flexible licensing options
include: traditional, bring your own
license; hourly usage-based pricing
for workload bursts of a few days/
months; and annual usage-based
pricing for longer-term workloads

VPC
Availability Zone 1

App1

Availability Zone 2

App1

App2

App2

Subnet 1

Subnet 2

App1

App1

App2
Subnet 3

VMSERIES

App2
Subnet 4

VMSERIES

Region

Amazon Web Services (AWS) offers a broad set of global

compute, application, storage and deployment services
that enables you to quickly and efficiently address your
changing data center computing needs. Securing your AWS
deployment introduces a range of challenges, including
a lack of application visibility, inconsistent security
functionality, and difficulty keeping pace with the rate of
change commonly found in cloud computing environments.
In order to effectively secure your AWS environment, your security solution
should address the following requirements:
Identify and control applications within the cloud, based on the identity, not
the port it may use.
Stop malware from gaining access to, and moving laterally (east-west)
within the cloud.
Determine who should be allowed to use the applications, and grant access
based on user needs and credentials.
Simplify management and minimize the security policy lag as virtual workloads
are added, removed or change.
The VM-Series for AWS addresses these key requirements with the same nextgeneration firewall and advanced threat prevention features that are available
in our physical form factor appliances, allowing you to protect your AWS
deployments from a wide range of known and unknown threats.
Applying next-generation security to virtualized environments
The VM-Series for AWS natively analyzes all traffic in a single pass to
determine the application identity, the content within, and the user identity.
These are then used as integral components of your security policy, resulting in
an improved security posture and a reduction in incident response time.

PA L O A LT O N E T W O R K S : V M - S e r i e s f o r A m a z o n W e b S e r v i c e s S p e c s h e e t

Isolate mission-critical applications and data using

Zero Trust principles
Security best practices dictate that your mission-critical
applications and data should be isolated in secure segments
using Zero Trust (never trust, always verify) principles at each
segmentation point. The VM-Series can be deployed in your
AWS environment, allowing you to protect east-west traffic
between VMs at both the subnet and the application level.
Block lateral movement of cyber threats
Todays cyber threats will commonly compromise an individual
workstation or user, and then they will move across the network,
looking for a target. Within your virtual network, cyber threats
will move laterally from VM-to-VM, in an east-west manner,
placing your mission-critical applications and data at risk.
Exerting application-level control using Zero Trust principles
in between VMs will reduce the threat footprint while applying
policies to block both known and unknown threats.
Streamline policy deployment
A rich set of APIs can be used to integrate with external
orchestration and management tools collecting information
related to workload changes, which can then be used to
dynamically drive policy updates via Dynamic Address Groups
and VM Monitoring.
RESTful APIs: A flexible, REST-based API allows you to
integrate with third-party or custom cloud orchestration
solutions. This enables the VM-Series to be deployed and
configured in lockstep with virtualized workloads.
Virtual Machine Monitoring: Security policies must be
able to monitor and keep up with changes in virtualization
environments, including VM attributes and the addition
or removal of VMs. Virtual Machine Monitoring (VM
Monitoring) automatically polls your virtualization
environments for virtual machine inventory and changes,
collecting this data in the form of tags that can then be used
in Dynamic Address Groups to keep policies up to date.

VPC

VPC

Centrally manage virtualized and physical form factor firewalls

Panorama network security management enables you to
manage your VM-Series deployments, along with your physical
security appliances, thereby ensuring policy consistency
and cohesiveness. Rich, centralized logging and reporting
capabilities provide visibility into virtualized applications,
users and content.
VM-SERIES FOR AWS USE CASE: PERIMETER GATEWAY
Establishing a VPC is not significantly different from building
out a new physical data center, complete with a new perimeter
firewall. In this use case, the VM-Series can be deployed as
your gateway firewall, securing your deployment in AWS. As
new EC2 workloads are added or change, VM Monitoring and
Dynamic Address Groups will enable your security policies to
keep pace with any respective EC2 changes.
VM-SERIES FOR AWS USE CASE: HYBRID CLOUD
Your VPC is an extension of your corporate computing
environment, enabling you to scale rapidly while minimizing
capital and operational expenses. In this use case, the VM-Series
supports the exact same features that are supported in our
physical form factor appliances, including standards-based
site-to-site IPsec VPN. The VM-Series can be configured to
establish an IPsec VPN connection, with access control policies
that are based on the application, the respective content, and the
user identity. In effect, you are able to extend the same security
policies that control your corporate network to your VPC.

VPC

GlobalProtect

App1
App2

Dynamic Address Groups: As your virtual machines are added,

removed or change, building security policies based on static
data, such as IP address, delivers limited value. Dynamic Address
Groups allow you to create policies using tags [from VM
Monitoring] as an identifier for virtual machines instead of
a static object definition. Multiple tags representing virtual
machine attributes, such as IP address and operating system,
can be resolved within a Dynamic Address Group, allowing
you to easily apply policies to virtual machines as they are
created or travel across the network.

VMSERIES

VMSERIES

VMSERIES

VMSERIES

VPC
Dev

VPC
Test

App1

App1

App2
VMSERIES

VMSERIES

App2

VMSERIES

VMSERIES

VPC Gateway

Hybrid cloud (IPsec VPN)

VPC-to-VPC Security
Image 1: VM-Series for AWS use cases

VMSERIES

PA L O A LT O N E T W O R K S : V M - S e r i e s f o r A m a z o n W e b S e r v i c e s S p e c s h e e t

VM-SERIES FOR AWS USE CASE: VPC-TO-VPC SECURITY

Recent high-profile threats have shown that cybercriminals are
adept at hiding in plain sight, once they bypass the perimeter
controls, and then moving at will across the network. A
VPC provides an isolation and security boundary for your
workloads in AWS. Connecting VPCs with different trust levels
using VM-Series firewalls provides granular control over the
applications and users accessing resources between them. It also
allows for encrypting traffic between VPCs in different regions
while traversing the open Internet.
VM-SERIES FOR AWS USE CASE: GLOBALPROTECT FOR
REMOTE ACCESS VPN
Securing mobile users from threats and risky applications is
often a complex mix of procuring and setting up the security
and IT infrastructure, ensuring uptime requirements in multiple
locations around the globe, all while staying on budget. The
AWS computing infrastructure, combined with the VM-Series
and GlobalProtect mobile security service, helps you solve
these challenges with a secure remote access VPN that extends
your security policies to all of your remote users, regardless
of their location. As a GlobalProtect Gateway, the VM-Series
instances can be deployed to scale up or down, based on
demand, while keeping costs low with utility-style pricing by
the hour or an annual subscription.
DEPLOYMENT FLEXIBILITY
AWS provides you with a true elastic computing model,
allowing you to scale up or down your computing resources
worldwide. To fully support the elastic computing model, the
VM-Series can be licensed on an hourly or annual payment
structure, or as a traditional, bring-your-own-license model.

PERFORMANCE AND CAPACITIES1

VM-1000-HV

Usage-based licensing: This licensing model allows you

to purchase the VM-Series and select Subscriptions and
Premium Support as a bundle directly through your AWS
Management console on either an hourly or annual payment
structure.
Bundle 1 contents: VM-300 firewall, Threat Prevention
subscription (inclusive of IPS, AV, Malware prevention)
and Premium support.
Bundle 2 contents: VM-300 firewall, Threat Prevention
(inclusive of IPS, AV, Malware prevention), WildFire
threat intelligence service, URL Filtering, GlobalProtect
subscriptions and Premium support.
Bring-your-own-license: Any one of the VM-Series models,
along with the associated Subscriptions and Support, are
purchased via normal Palo Alto Networks channels and then
deployed through your AWS Management console.
SUMMARY
The VM-Series for AWS allows you to protect your VPC using
our next-generation firewall and advanced threat prevention
services. Traffic flowing into, and across your AWS deployment
is identified and secured, based on the application identity, and
inspected for known and unknown cyber threats. Native
VM-Series automation features help to ensure that your
security policies can keep pace with any contextual virtual
machine changes in your VPC, while Panorama allows you to
centrally manage your entire Palo Alto Networks deployment
of physical and virtualized appliances.

VM-300

Firewall throughput (App-ID enabled)

VM-200

Threat prevention throughput

600 Mbps

IPsec VPN throughput

250 Mbps

Max sessions per second

New sessions per second
1

VM-100

1 Gbps

250,000

100,000

100,000

50,000

8,000

Performance and capacities are measured under ideal testing conditions using PAN-OS 7.0 and 4 CPU cores.

SYSTEM REQUIREMENTS
AWS Instances
Network interfaces (dataplane/management)

c3.xlarge, c3.2xlarge, c3.4xlarge, c3.8xlarge, m3.xlarge, m3.2xlarge

3/1: c3.xlarge, c3.2xlarge, m3.xlarge, m3.2xlarge, c4.xlarge,
c4.2xlarge, c4.4xlarge
7/1: c3.4xlarge, c3.8xlarge

Virtual CPU cores

Memory (Minimum)
Disk drive capacity (Min/Max)

2, 4 or 8
4 GB
40 GB/2 TB (EBS Optimized required)

PA L O A LT O N E T W O R K S : V M - S e r i e s f o r A m a z o n W e b S e r v i c e s S p e c s h e e t

VM-SERIES LICENSING OPTIONS

BYOL

USAGE BASED BUNDLE 1

USAGE BASED BUNDLE 2

VM-100

--

--

VM-200

--

--

VM-300

VM-1000-HV

--

--

VM-Series Firewall

Subscriptions
Threat Prevention

WildFire

--

URL Filtering

--

GlobalProtect

--

Premium support

Standard support

--

--

Payment structure

Annual renewals

Hourly or Annually

Hourly or Annually

4401 Great America Parkway

Santa Clara, CA 95054
Main: +1.408.753.4000
Sales:
+1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com

Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_SS_VMSAWS_052815