I was at AWS re:inforce this week and got to listen in on the overview of AWS' new VPC: Traffic Monitor services.   Prior to this organizations only had VPC Flow Logs as mechanism to view what was going entering or leaving their EC2 instances.  With the addition of VPC: Traffic Monitor they can now copy each packet (ingress,egress,or both) to an additional instance where traditional packet capture tools can add additional value.  Traditional firewalls are trying to keep themselves relevant and are using this new service to keep the spotlight on them.  This service does have a downside.  All your EC2 instances might need to be resized to take into account the increased outbound, copied traffic....Making AWS happy for the extra $$$.

Traditional FWs, such as Palo Alto,  jumped on this feature with an announcement that they can ingest the traffic into their AWS VM based firewalls and use their threat alerting, detection and "response" capabilities that security architects are so used to.  What jumped out to me was prior to Traffic Monitor is they had no real play in the cloud.  They are totally reliant on being in the path of traffic.   Their announcement really only provides visibility capabilities...There is no way they can "respond".  The total cost, which includes increasing all of your EC2 instance performance and the additional Palo Alto licensing is going much greater than the value this would provide.  

Firewalls have always used networks constructs (Vlan, Zones,subnets) as the means to enable enforcement but in the cloud firewalls are relegated to the edge at best.  Palo's announcement just accentuated the firewalls inability to function in the cloud.   Would anyone really buy a FW just for visibility?   Bet there are cheaper, more scalable ways.  Using the host for both visibility and enforcement is truly the only way to control traffic in the Cloud...