AWS CloudNGFW Blueprints for PoCs

This repository contains the blueprints and modules required for deploying a Proof-of-Concept architecture with AWS CloudNGFW.



  • A working AWS account
  • The Access key and Secret key credentials for your AWS account. This is required if you would like to deploy this from your own system.
  • IAM permissions for:
    • Subscribing to the CloudNGFW service on the AWS Marketplace.
    • AWS CloudShell, if you do not have the Access key and Secret key credentials for your AWS account.
    • Deploying the below resources:
      • VPCs
      • Subnets
      • EC2 instances
      • VPC Routes
      • Route tables
      • Route table associations
      • Internet Gateways
      • Network Interfaces
      • SSH Key-Pairs
      • Elastic IPs
      • Security Groups
      • CloudWatch Log Groups
  • Integrate your vendor account with CloudNGFW. More details on this in the next section.

Note: You may need further IAM permissions for resources specific to each blueprint. Those will be covered in their respective blueprints.


  • You will need to install Terraform on the system from which you intend to deploy the terraform code. For this code-base, you need a minimum version of v1.0.
  • Obviously, you will need git to clone this repo on to your system.


  • Create a Log Group called PaloAltoCloudNGFW in AWS CloudWatch.

CloudNGFW Resources

Subscribing and Onboarding the vendor account to AWS CloudNGFW

Subscribing to AWS CloudNGFW

Creating a Rulestack and Security Profiles

AWS CloudNGFW Rulestacks

Creating the AWS Cloud NGFW resource


Developer Sites


Copyright © 2023 Palo Alto Networks, Inc. All rights reserved.