* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Network Security](https://origin-researchcenter.paloaltonetworks.com/blog/network-security/)
* How VM-Series Integrates ...

# How VM-Series Integrates with AWS Gateway Load Balancer

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fvm-series-integration-with-aws-gateway-loadbalancer%2F)  
[](https://twitter.com/share?text=How+VM-Series+Integrates+with+AWS+Gateway+Load+Balancer&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fvm-series-integration-with-aws-gateway-loadbalancer%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fvm-series-integration-with-aws-gateway-loadbalancer%2F&title=How+VM-Series+Integrates+with+AWS+Gateway+Load+Balancer&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/network-security/vm-series-integration-with-aws-gateway-loadbalancer/&ts=markdown)  
\[\](mailto:?subject=How VM-Series Integrates with AWS Gateway Load Balancer)  
Link copied  
By [Vijay Arumugam Kannan](https://www.paloaltonetworks.com/blog/author/vijay-arumugam-kannan/?ts=markdown "Posts by Vijay Arumugam Kannan")  
Nov 10, 2020  
5 minutes  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[VM-Series](https://www.paloaltonetworks.com/blog/tag/vm-series/?ts=markdown)

We've just [announced](https://www.paloaltonetworks.com/blog/2020/11/netsec-aws-gateway-load-balancer-integration/) the general availability of the[VM-Series virtual firewall](https://www.paloaltonetworks.com/network-security/vm-series-virtual-next-generation-firewall) integration with the new [AWS Gateway Load Balancer](https://aws.amazon.com/blogs/aws/introducing-aws-gateway-load-balancer-easy-deployment-scalability-and-high-availability-for-partner-appliances/) (GWLB). And by doing so, we're introducing security scaling while maintaining throughput performance and bypassing many of the complexities traditionally associated with inserting virtual appliances in public cloud environments.

First, some context: Palo Alto Networks VM-Series virtual Next-Generation firewalls augment native Amazon Web Services (AWS) network security capabilities with next-generation threat protection. VM-Series virtual firewalls help prevent exploits, malware, previously unknown threats, and data exfiltration to keep your apps and data in AWS safe.

When it comes to deploying VM-Series firewalls in AWS, customers typically leverage an AWS Transit Gateway deployment. Like most customers, you probably connect the spoke VPCs with application workloads to the AWS Transit Gateway- and then deploy the VM-Series firewalls in dedicated security VPCs and connect to the same AWS Transit Gateway.

**Tradeoff Problem #1: Scale and Throughput Performance**

Until now, you had two connectivity options to route your outbound and east-west traffic through the VM-Series firewalls in your transit gateway environment:

1. You could deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments (see Figure 1).
2. You could deploy VM-Series in active-passive HA mode using AWS Transit Gateway VPC attachments.

The first option provides scale using equal-cost multi-path routing (ECMP) and multiple VPN attachments, but each VPN attachment offers a limited[throughput of 1.25 Gbps](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html#bandwidth-quota). The second option uses VPC attachments that provide up to[50 Gbps of throughput](https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-integrate-third-party-firewall-appliances-into-an-aws-environment/) but do not scale beyond a single active VM-Series firewall (per AWS Availability Zone).

**Tradeoff Problem #2: Visibility and Centralized Firewall Management**

A similar tradeoff exists for inbound traffic protection. Like most customers, you likely use a "sandwich" architecture that forces all your inbound application traffic to flow through an inbound security VPC. This inbound security VPC hosts an auto-scaling firewall stack for threat prevention (see Figure1). While this architecture enables you to centrally manage firewalls and security policies, it also requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, thereby obfuscating the source's identity to your applications.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/11/image2.png)
Figure 1. Current transit gateway deployment models with VM-series may force customers to make tradeoffs between visibility, scalability, and performance.

**AWS Gateway Load Balancer Changes the Game**

With the launch of GWLB, you can now simplify your VM-Series firewall insertion and realize next-generation threat prevention at scale in your AWS environment. This new AWS managed service allows you to deploy a stack of VM-Series firewalls and operate in a horizontally scalable and fault-tolerant manner.

[The integration of VM-Series virtual firewalls with the GWLB](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer) alleviates the above tradeoff concerns. This new integration enables you to use native AWS networking constructs -- such as VPC attachments -- to scale your VM-Series firewalls dynamically to match your inbound, outbound, and east-west traffic demands.

Figure 2 illustrates how using the GWLB integration with VM-Series simplifies your AWS Transit Gateway environments. You can continue to use a centralized security VPC as you did previously. But now, you can leverage the GWLB to scale and load-balance traffic across the stack of VM-Series firewalls in your centralized security VPC. You can then expose the GWLB with the stack of firewalls as a VPC endpoint service for traffic inspection and threat prevention.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/11/image2-1.png)
Figure 2. AWS Gateway Load Balancer simplifies VM-Series virtual firewall insertion at a higher scale and throughput performance for inbound, outbound, and east-west traffic protection.

To protect the inbound traffic, create GWLB endpoints (GWLBE1 and GWLBE2 in Figure 2) in your spoke VPCs. Next, you'll add route rules in the spoke VPC's Internet gateway and subnet route tables to route all inbound traffic to the VPC via the endpoints and through the firewalls.

Similarly, to protect your outbound and east-west traffic, you can create a GWLB endpoint (GWLBE3 in Figure 2) in the centralized firewall VPC -- then use route rules in your VPCs and transit gateways to redirect traffic to your security VPC for inspection.

**Three ways the integration pays off**

The VM-Series firewall integration with GWLB offers the following benefits:

* **Simplified connectivity -** Easily insert an auto-scaling VM-Series firewall stack in the outbound, east-west, and inbound traffic paths of your applications. VM-Series and the GWLB use the GENEVE encapsulation to keep your traffic packet headers and payload intact, providing complete visibility of the source's identity to your applications - In other words, no more SNAT.
* **Performance at scale -** Scale your traffic across multiple VM-Series firewalls at higher throughput by using AWS native networking constructs and AWS Transit Gateway VPC attachments. You no longer need encrypted tunnels for east-west and outbound traffic inspection - In other words, no IPsec tunnel overhead.
* **Cost Effective - Reduce the number of firewalls needed to protect your AWS environment and consolidate your overall network security posture with centralized security management.**

To begin realizing these benefits in your AWS environment today, you can start a trial of VM-Series on AWS from the[AWS Marketplace](https://aws.amazon.com/marketplace/pp/B083LH64T3)*.* You may also find more information on how VM-Series adds an additional layer of protection to AWS environments on the[Live Community AWS resource page](https://live.paloaltonetworks.com/t5/aws/ct-p/AWS). And don't forget to check our[Palo Alto Networks Github repository](https://github.com/PaloAltoNetworks) for the latest assets to help you deploy and manage VM-Series firewalls in cloud environments.

*** ** * ** ***

## Related Blogs

### [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### VM-Series Virtual NGFW Propels AWS Security Competency Partner Status](https://origin-researchcenter.paloaltonetworks.com/blog/network-security/aws-security-competency-partner/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### See the Unseen in AWS Mirrored Traffic With VM-Series](https://origin-researchcenter.paloaltonetworks.com/blog/2021/03/aws-vpc-traffic-mirroring/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown)

[#### Talking with AWS about VM-Series Integrating with AWS Gateway Load Balancer](https://origin-researchcenter.paloaltonetworks.com/blog/network-security/vm-series-integration-awsgateway/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### VM-Series Virtual Firewalls Integrate With AWS Gateway Load Balancer](https://origin-researchcenter.paloaltonetworks.com/blog/2020/11/netsec-aws-gateway-load-balancer-integration/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Securing Large Scale AWS Deployments with a Transit VPC](https://origin-researchcenter.paloaltonetworks.com/blog/2018/04/securing-large-scale-aws-deployments-transit-vpc/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### How Palo Alto Networks Scales Next-Gen Security on AWS](https://origin-researchcenter.paloaltonetworks.com/blog/2018/02/palo-alto-networks-scales-next-gen-security-aws/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language