Deploy on AWS into a new VPC

or deploy into your existing VPC
(see guide for pre-requisites)

The security and analytics environment is built automatically by AWS CloudFormation templates that you can customize to meet your specific requirements. You can choose to create a new virtual private cloud (VPC) for the deployment, or use your existing AWS infrastructure.

For detailed information about the architecture and step-by-step instructions, see the deployment guide.


This Quick Start builds an enterprise-class security and analytics environment on the Amazon Web Services (AWS) Cloud, using the Palo Alto Networks VM-Series next-generation firewall, Splunk Enterprise, and the Palo Alto Networks App for Splunk, along with complementary services from AWS.

These technologies help protect your workloads from cyberattacks and provide visibility, analytics, and reporting across cloud, on-premises, and hybrid environments.

The Palo Alto Networks VM-Series next-generation firewall complements AWS security groups and web application firewalls by classifying and controlling application traffic on AWS based on the application identity, and then applying threat prevention policies to block known and unknown cyberthreats. Splunk Enterprise provides security visibility by capturing and analyzing logs from the Palo Alto firewall using the Palo Alto Networks App for Splunk.

  • What you'll build

    The Quick Start architecture includes the following:
    • A VPC spanning multiple Availability Zones, with three public and two private subnets in each zone.* 
    • Network address translation (NAT) gateways that allow the servers in the private subnets to connect to the internet.*
    • VM-Series firewall instances in an Auto Scaling group with three network interfaces: untrust, trust, and management. 
    • Security groups for each instance or function to restrict access to only necessary protocols and ports.
    • An Amazon Simple Storage Service (Amazon S3) bucket that contains the firewall bootstrap files.
    • In the private subnets, an Auto Scaling group for the web servers, spanning multiple Availability Zones.
    • In the public subnets, Splunk indexers, search heads, syslog-ng servers, license server, indexer cluster master, and search head deployer.
    • External and internal load balancers for the web servers, and three load balancers for the Splunk instances.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks.

    For details, see the Quick Start deployment guide.
    Request AWS credits for this deployment
  • Deployment details

    You can build your security and analytics environment on AWS in 30-45 minutes, by following these steps:

    1. Sign up for an AWS account, if you don't already have one, at
    2. Get the binaries required for launch, and place them in an S3 bucket.
    3. Subscribe to the Amazon Machine Image (AMI) for Splunk Enterprise in AWS Marketplace.
    4. Get a license for the Palo Alto Networks VM-Series firewall. We recommend that you use the pay-as-you-go (PAYG) option.
    5. Launch the Quick Start into a new VPC, if you want to build a new AWS infrastructure.
      Launch the Quick Start into an existing VPC, if you already have your AWS environment set up.
    6. Test the integration and confirm that you can access the VM-Series firewall.
    7. (Optional) Customize the bootstrap.xml file.

    The Quick Start includes parameters that you can customize. For example, you can configure your network or customize firewall and Splunk Enterprise settings. 

    For complete details, see the Quick Start deployment guide.

    Request AWS credits for this deployment
  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. 

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.

    The Palo Alto Networks VM-Series next-generation firewall deployed in this Quick Start requires a license. You can obtain a license through AWS Marketplace (recommended) or use the bring-your-own-license (BYOL) option.

    • Pay as you go (PAYG): This option deploys VM-Series Bundle 2 directly from AWS Marketplace. This bundle includes a VM-300 firewall license and annual subscriptions for Threat Prevention, WildFire, URL Filtering, GlobalProtect, and Premium Support (written and spoken English only).
    • BYOL: This option allows you to work with Palo Alto Networks sales or channel partners to generate an authorization code (license) that includes a VM-100, VM-300, VM-500 or VM-700 firewall license, along with the associated subscriptions and support. You must register your BYOL authorization code on the Palo Alto Networks support portal before you launch the Quick Start.

    This Quick Start also requires a subscription to the Splunk Enterprise AMI, which is available from AWS Marketplace. The AMI offers a 60-day trial license that provides limited access to Splunk Enterprise features. To fully utilize the environment created by this Quick Start, you will need to obtain a Splunk Enterprise license by contacting


    Request AWS credits for this deployment