I’ve recently been working with a client on magically spinning up entire environments in AWS. This means I’ve learned a fair bit about AWS on the way!
Without going into too much detail (as it’s the clients work), we have been bootstrapping Palo Alto firewalls. This allows you to be able to stand up a fully configured Palo Alto firewall using a CloudFormation script in AWS, in a matter of minutes. That’s pretty cool.
Palo Alto are pretty helpful with this – they provide a decent sample here: https://github.com/PaloAltoNetworks/aws
From this, you can amend the scripts as appropriate to fit into your own environment – this method does rely on having a full configuration for the firewall available to bootstrap from available on an S3 bucket. If this is static, then easy. If not, you’ll have to do some magic elsewhere before calling the CloudFormation script to make sure the config you need is in the bucket.
One of the challenges we faced was that there is an interface limit (depending on which EC2 instance type you choose). This means that the example from Palo Alto does not scale too well – if you have too many subnets, it becomes impossible to put a Palo interface in every subnet. To get around this, you can add routes in the routing tables pointing to the ENI’s (Elastic Network Interfaces) of the Palo. This means you can have multiple subnets behind one interface.