Skip to main content

Deploying Cloud NGFW using Terraform


This is a multi-section tutorial, with dependencies between each section. Please perform each section in order, per the links on the left-hand sidebar.


The objective of this multi-section tutorial is to deploy Cloud NGFW into AWS with Terraform. The sections are divided as follows:

  1. This introduction
  2. Prepare AWS infrastructure
  3. Subscribe to and prepare Cloud NGFW
  4. Create a Cloud NFGW rulestack and rules
  5. Commit the Cloud NFGW rulestack and rules
  6. Create Cloud NFGW resources
  7. Create routing to insert Cloud NGFW into the infrastructure
  8. Testing, log inspection and review

The entire source code for this tutorial can be found on GitHub.


There are many ways to architect Cloud NGFW into your AWS infrastructure. This tutorial uses one of the reference architecture designs from Palo Alto Networks, described in the "Protect Traffic between TWO subnets in a VPC" section and shown in Figure 6. Using this design pattern, you will deploy Cloud NGFW into a single VPC in a single availability zone, and protect traffic between two hosts deployed into two separate DMZ subnets. The endpoints used to steer traffic into Cloud NGFW Will be service-managed. network diagram of the AWS VPC

This tutorial follows the convention of splitting up Terraform code into separate files, namely:

  • - definition and configuration of Terraform providers to be used
  • - declaration of variables which will be used
  • terraform.tfvars - when required, defines values for variables
  • - definition and creation of resources (for example, AWS infrastructure, Cloud NGFW rules, etc)
  • - declaration of values to be presented back after Terraform finishes executing

The content in this tutorial builds on the introduction published in Palo Alto Networks' Developer Blog.


This tutorial/guide assumes:

  • a working installation of Terraform
  • working connectivity to AWS
  • credentials for an AWS user capable of performing operations with your AWS account such as creating, listing, updating and deleting resources such as VPCs, subnets, route tables and routes, IAM roles

Important - Work in a Lab Environment First

With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.