https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/518361#M1714 <P>hard to say without knowing your environment, but what I've done in the past is to make the "spokes" separate vnets. Palo's in their own vnet with peering all the spoke vnets with this one, and using a LB sandwich on each side.&nbsp;</P> Wed, 19 Oct 2022 13:42:05 GMT ccscott 2022-10-19T13:42:05Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/516879#M1683 <P>Hello</P> <P>&nbsp;</P> <P>I'm deploying my first Palo Alto on Azure (I already deployed physical appliance) but I'm blocked.&nbsp;</P> <P>&nbsp;</P> <P>I would like to deploy this type of design. The global network defined is 10.200.0.0/16 who are splitted in serverals sub-networks. I have one Untrust zone for Internet access and several zone for networks where we host our servers for IT needs, projects needs.. On Azure configuration during the VM deployment, the setup request to configure Untrust zone, Trust zone and Management zone. So I understand how to configure Untrust and Management zone and define the subnet attached for these zones, but for Trust zone, in my case, I don't see how to configure it.... I have no a dedicated Trust zone with a subnet dedicated..</P> <P>&nbsp;</P> <P>Sorry if my question is stupid..</P> <P>&nbsp;</P> <P>Jerome</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jeromecarrier_1-1664963571129.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/44411i12D6362C37455502/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jeromecarrier_1-1664963571129.png" alt="jeromecarrier_1-1664963571129.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 05 Oct 2022 09:58:10 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/516879#M1683 jeromecarrier 2022-10-05T09:58:10Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517215#M1691 <P>Hello</P> <P>&nbsp;</P> <P>No answer ? I would like to know in Azure how configure differents networks for each type of server (dmz, Web server,&nbsp; infra servers...).. Is-it better to create one vnet with several subnets inside the vnet? Or create one vnet per type of server (dmz, infra, Web servers) and create vnet peering ? And in both cases, can I create zone in Palo Alto for each type or it's not possible ? And how to configure for trafic goes via Palo Alto to Internet or to allow specific trafic between différents zone/vnet?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>BR</P> Sun, 09 Oct 2022 16:02:06 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517215#M1691 jeromecarrier 2022-10-09T16:02:06Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517481#M1694 <P>Have a look at the Reference Architecture guide as well as the Deployment Guide for Azure, I think it will help you work through this scenario as well as understand the best practices for setting up in Azure.</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/resources/reference-architectures/azure" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/azure</A></P> Tue, 11 Oct 2022 16:32:30 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517481#M1694 sthornton 2022-10-11T16:32:30Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517501#M1695 <P>It depends on your ultimate goal. Personally I usually deploy multiple vnets and that way the traffic between them can be forced through the vm series firewall, even if it it intrazone. Or you could still do it this way and have multiple interfaces zones. Putting all subnets within one vnet is the thing I would not do in this case.&nbsp;</P> Tue, 11 Oct 2022 18:30:44 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517501#M1695 ccscott 2022-10-11T18:30:44Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517866#M1699 <P>Hello</P> <P>&nbsp;</P> <P>Thank you. I configured my architecture based on hub/spoke topology. I have à central zone (hub) where is deployed my FW. And I deployed spoke for each other "zone" such as DMZ or Project for project servers. From these zones, they will use corporate services such as AD, DNS, DHCP,... Is-it better to create a spoke name INFRA where AD,DNS,DHCP will be deployed? Or these servers are mutualized for all spokes and it's better to create a dedicated subnet under HUB ?</P> <P>&nbsp;</P> <P>Regards</P> Thu, 13 Oct 2022 21:02:24 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/517866#M1699 jeromecarrier 2022-10-13T21:02:24Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/518361#M1714 <P>hard to say without knowing your environment, but what I've done in the past is to make the "spokes" separate vnets. Palo's in their own vnet with peering all the spoke vnets with this one, and using a LB sandwich on each side.&nbsp;</P> Wed, 19 Oct 2022 13:42:05 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/configuration-vm-series-on-azure-cloud/m-p/518361#M1714 ccscott 2022-10-19T13:42:05Z