topic Re: Multiple Static Route(s) for PA-VM in Azure in VM-Series in the Public Cloud

Multiple Static Route(s) for PA-VM in Azure

FreddyCalderon — Mon, 18 Sep 2023 02:49:05 GMT

Hello all!

I have successfully deployed a PA VM-300 in our Azure environment and I am a bit confused when it comes to setting up the virtual router for the networks. I've seen a few YouTube videos where people configure one VR with two or more static routes and others with multiple VRs, for example. Untrusted-vr & trust-vr. I have listed a few screenshots of what I have configured but I am still unsure.

PA MGMT (eth 0 in Azure) IP: 172.27.192.0 /23

PA Untrusted Eth1 (eth 1 in Azure) IP: 172.27.194.0 /23

PA Trusted Eth 2 (eth 2 in Azure) IP: 172.27.196.0 /23

For those who have successfully done a PA VM in Azure before, could you kindly share your experience and configuration, please?

Thanks!

Re: Multiple Static Route(s) for PA-VM in Azure

aleksandar.astardzhiev — Mon, 18 Sep 2023 13:43:42 GMT

Hi @FreddyCalderon ,

The separate VRs are required depending if you are using internal and external LBs.

Azure LB is using same IP 168.63.129.16 to source LB healt probes. I am guessin the videos you have looked they are deploying redundant pair of standalone firewalls. Where using internal LB traffic is routed over the firewalls. If you need inbound traffic you will to deploy extenal LB as well.

So if you use single VR your probes will fail (because the FW will not know to which interface it should send the response). For that reason you configure two VRs and put static route for 168.63.129.16 pointing to the respectful interface.

There is no other real reason to create separate VRs. If you don't use LBs you don't need separate VRs.

Re: Multiple Static Route(s) for PA-VM in Azure

FreddyCalderon — Mon, 09 Oct 2023 21:14:22 GMT

Hi Aleksandar,

Thank you for much for your explanation. Makes sense now. I appreciate your input.