Auto Scale Solution for FTDv on AWS

Cisco provides CloudFormation Templates and scripts for deploying an auto-scaling group of FTDv firewalls using several AWS services, including Lambda, auto scaling groups, Elastic Load Balancing (ELB), Amazon S3 Buckets, SNS, and CloudWatch. FTDv Auto Scale in AWS is a complete serverless implementation (i.e. no helper VMs involved in the automation of this feature) that adds horizontal auto scaling capability to FTDv instances in the AWS environment.

The FTDv Auto Scale solution is a CloudFormation template-based deployment that provides:

• Completely automated FTDv instance registration and de-registration with the FMC
• NAT policy, Access Policy, and Routes automatically applied to scaled-out FTDv instances
• Support for Load Balancers and multi-availability zones.

Auto Scale Use Case

The Use Case for this FTDv AWS Auto Scale Solution is shown in Figure, Because the AWS Load Balancer allows only Inbound-initiated connections, only externally generated traffic is allowed to pass inside via the Cisco FTDv firewall.

The Internet-facing Load Balancer will have a DNS name, and 0 to 4 ports can be kept open. Of those ports, 0 to 2 can be unsecured ports such as HTTP/80, and 0 to 2 can be secured ports such as HTTPS/443.

Note: Secured ports need an SSL/TLS certificate, as described SSL Server Certificate, on page 7 in the Prerequisites.

The Internet-facing load balancer can be a Network Load Balancer or an Application Load Balancer. All of the AWS requirements and conditions hold true for either case. As indicated in the Use Case diagram, the right side of the dotted line is deployed via the FTDv templates. The left side is completely user-defined.

Note: Application-initiated outbound traffic will not go through the FTDv.

FTDv Auto Scaling for AWS

• NGFWv6.6.0 : Code | README | Deployment/Configuration Guide
• NGFWv6.7.0 : Code | README | Deployment/Configuration Guide

Auto Scale Solution for FTDv on Azure

FTDv Auto Scale for Azure is a complete serverless implementation which makes use of serverless infrastructure provided by Azure (Logic App, Azure Functions, Load Balancers, Security Groups, Virtual Machine Scale Set, etc.).

Some of the key features of the FTDv Auto Scale for Azure implementation include:

• Completely automated FTDv instance registration and deregistration with the FMC.

• NAT policy, Access policy, and Routes automatically applied to scaled-out FTDv instances.

• Support for standard Load Balancers.

• Supports FTDv deployment om multi-availability zones.

• Support for enabling and disabling the Auto Scale feature.

• Azure Resource Manager (ARM) template-based deployment.

• Works only with FMC; the Firepower Device Manager is not supported

• Support to deploy the FTDv with PAYG or BYOL licensing mode. PAYG is applicable only for FTDv software version 6.5 and onwards

• Cisco provides an Auto Scale for Azure deployment package to facilitate the deployment.

Auto Scale Use Case (Azure)

The FTDv Auto Scale for Azure is an automated horizontal scaling solution that positions an FTDv scale set sandwiched between an Azure Internal load balancer (ILB) and an Azure External load balancer (ELB).

• The ELB distributes traffic from the Internet to FTDv instances in the scale set; the firewall then forwards traffic to application.
• The ILB distributes outbound Internet traffic from an application to FTDv instances in the scale set; the firewall then forwards traffic to Internet.
• A network packet will never pass through both (internal & external) load balancers in a single connection.
• The number of FTDv instances in the scale set will be scaled and configured automatically based on load conditions.

FTDv Auto Scaling for Azure

• NGFWv6.6.0 : Code | README | Deployment/Configuration Guide
• NGFWv6.7.0 : Code | README | Deployment/Configuration Guide

Deployment Templates

• Azure NGFWv Deployment Template for NGFWv6.6.0: README | NFWv/FTDv | FMCv
• Azure NGFWv Deployment Template for NGFWv6.7.0: README | NFWv/FTDv | FMCv