← All How-to Guides
AWS Palo Alto Landing Zone Security GWLB

How to Deploy Palo Alto VM-Series with AWS Landing Zone Accelerator

Centralized firewall architecture using Palo Alto VM-Series, Transit Gateway, and GWLB in a multi-account AWS Landing Zone

Advanced ⏱ 45 min

Prerequisites

  • AWS Landing Zone Accelerator deployed with Control Tower
  • Familiarity with Transit Gateway and VPC networking
  • Palo Alto Panorama license for centralized management
  • AWS Marketplace subscription for VM-Series AMI
  • Terraform 1.5+ installed

I worked with a financial services company running 47 AWS accounts with no centralized firewall. Each account had its own security configuration, different rulesets, and inconsistent logging. A compliance audit forced the issue — we needed one security perimeter across the entire org. Here’s how we deployed Palo Alto VM-Series with the Landing Zone Accelerator.

Understand the Architecture

This is a hub-and-spoke model. A dedicated Security VPC contains the VM-Series firewalls behind a Gateway Load Balancer (GWLB). Application VPCs connect via Transit Gateway, and all traffic — north-south and east-west — routes through the security VPC for inspection.

Palo Alto VM-Series Centralized Design VM-Series centralized design with TGW hub-and-spoke

Component Purpose Where
VM-Series Next-gen firewall with IPS, threat prevention, SSL inspection Security VPC
Gateway Load Balancer Distributes traffic across firewall instances via Geneve Security VPC
GWLB Endpoint Entry point for traffic entering the security VPC Security VPC
Transit Gateway Routes traffic from spoke VPCs to security VPC Network Account
Panorama Centralized policy management across all instances Security VPC

Deploy the Transit Gateway

resource "aws_ec2_transit_gateway" "main" {
  description                     = "Central TGW for multi-account security"
  default_route_table_association = "enable"
  default_route_table_propagation = "enable"
  amazon_side_asn                 = 64512

  tags = { Name = "org-transit-gateway" }
}

resource "aws_ec2_transit_gateway_route" "to_security" {
  destination_cidr_block         = "0.0.0.0/0"
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.security.id
  transit_gateway_attachment_id  = aws_ec2_transit_gateway_vpc_attachment.security.id
}

All spoke VPC route tables point 0.0.0.0/0 and 10.0.0.0/8 at the TGW. The TGW then forwards everything to the security VPC attachment.

Deploy VM-Series Behind GWLB

resource "aws_instance" "palo_alto" {
  ami                     = data.aws_ami.palo_alto.id
  instance_type           = "m5.xlarge"
  iam_instance_profile    = aws_iam_instance_profile.vm_series.name
  disable_api_termination = true

  network_interface {
    network_interface_id = aws_network_interface.vm_series_data.id
    device_index         = 1
  }

  user_data = base64encode(templatefile("${path.module}/user_data.txt", {
    panorama_ip = var.panorama_ip
    auth_key    = var.panorama_auth_key
  }))

  tags = { Name = "palo-alto-vm-series-1" }
}

resource "aws_lb" "gwlb" {
  name               = "security-gwlb"
  load_balancer_type = "gateway"
  internal           = true
  subnets            = [aws_subnet.gwlb_az1.id, aws_subnet.gwlb_az2.id]

  tags = { Name = "security-gwlb" }
}

resource "aws_lb_target_group" "vm_series" {
  name        = "vm-series-targets"
  port        = 6081
  protocol    = "GENEVE"
  vpc_id      = aws_vpc.security.id
  target_type = "instance"

  health_check {
    interval = 10
    port     = "22"
    protocol = "TCP"
  }
}

Key Point: Set source_dest_check = false on all VM-Series network interfaces. Without this, AWS drops traffic that isn’t addressed to the instance.

Configure Route Tables for Inspection

The critical piece — make sure traffic actually flows through the firewall:

# Spoke VPC: send all traffic to TGW
resource "aws_route_table" "app_vpc" {
  vpc_id = aws_vpc.application.id

  route {
    destination_cidr_block = "0.0.0.0/0"
    transit_gateway_id     = aws_ec2_transit_gateway.main.id
  }

  route {
    destination_cidr_block = "10.0.0.0/8"
    transit_gateway_id     = aws_ec2_transit_gateway.main.id
  }
}

Trace the Traffic Flow

Egress (north-south): EC2 in spoke VPC → TGW → GWLB endpoint in security VPC → GWLB → VM-Series inspects → NAT Gateway → Internet. Return traffic follows the same path via connection tracking.

East-west (VPC-to-VPC): VPC-A instance → TGW → GWLB endpoint → VM-Series applies inter-VPC policies → TGW → VPC-B. This catches lateral movement that would otherwise be invisible.

Connect Panorama for Centralized Management

Each VM-Series registers with Panorama at boot via the user_data bootstrap. Panorama pushes security policies, threat feeds (Unit42), and log forwarding rules. When you update a policy in Panorama, every registered instance syncs within seconds.

Configure Panorama to push a default-deny policy with application-specific allow rules, forward logs to CloudWatch and S3, and schedule nightly config backups. This gives your security team a single console instead of managing dozens of individual firewalls.

Key Takeaway

Centralizing Palo Alto VM-Series in a security VPC with GWLB and Transit Gateway gives you one security perimeter across your entire AWS estate. Start with a pilot — validate both egress and east-west flows through the firewall before scaling to production. The investment in route table planning pays for itself the first time a compliance audit asks how inter-account traffic is inspected.

Questions? Connect with me on LinkedIn.