The VM-Series in Azure can be launched in multiples ways. In this article we will cover launching the VM-Series into Azure using Azure CLI. If you do not have the Azure CLI installed you can use the Azure Cloud Shell online from the following url
https://docs.microsoft.com/en-us/azure/cloud-shell/overview
1. Set Azure CLI to ARM Mode
user@Azure:~$ azure config mode arm
2. Create a Resource Group
user@Azure:~$ az group create --name jpazpan1 --location centralus
3. Create a Virtual Network
user@Azure:~$ azure network vnet create --resource-group jpazpan1 --location centralus --name jpazpan1vnet --address-prefixes 10.0.0.0/16
4. Create 3 Subnets in the virtual network. The Subnets are for the Mgmt, Untrust and Trust interfaces.
user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name mgmt --address-prefix 10.0.0.0/24
user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name untrust --address-prefix 10.0.1.0/24
user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name trust --address-prefix 10.0.2.0/24
5. Create a Public IP Address. This will be used for the Management Interface of the VM-Series.
user@Azure:~$ az network public-ip create --name mgmtpip --resource-group jpazpan1 --location centralus --dns-name jpmgmtdns --allocation-method Dynamic --zone 2
Notice the --zone flag. This is because the Public IP address used on a VM-Series in an Availability Zone in Azure must have the exact same amount of zones assigned to it.
6. Create and Configure Multiple Network Interfaces
user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name mgmtnic1 --subnet-vnet-name jpazpan1vnet --subnet-name mgmt
user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name untrustnic1 --subnet-vnet-name jpazpan1vnet --subnet-name untrust
user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name trustnic1 --subnet-vnet-name jpazpan1vnet --subnet-name trust
7. Create Network Security Groups
user@Azure:~$ azure network nsg create --resource-group jpazpan1 --location centralus --name jpmgmtnsg
8. Create Network Security Group Rule. This will be used for inbound management access.
user@Azure:~$ az network nsg rule create -g jpazpan1 --nsg-name jpmgmtnsg -n mgmtaccess --priority 110 --source-address-prefixes x.x.x.x/x --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22 443 --access Allow --protocol Tcp --description "Allow from specific IP address ranges on 22 and 443."
9. Add Network Security Group to MGMT NIC
user@Azure:~$ az network nic update -g jpazpan1 -n mgmtnic1 --network-security-group jpmgmtnsg
10. Attach Public IP to MGMT NIC
user@Azure:~$ az network nic ip-config update -g jpazpan1 --nic-name mgmtnic1 -n default-ip-config --public-ip-address mgmtpip
Note: At this time the VM-Series only supports a mgmt interface with public IP allocation when using availability zones.
11. Create VM-Series and Assign NICs During Deployment
user@Azure:~$ az vm create --resource-group jpazpan1 --name jpvmfw1 --location centralus --nics mgmtnic1 untrustnic1 trustnic1 --size Standard_D3_V2 --image paloaltonetworks:vmseries1:bundle2:8.1.0 --plan-name bundle2 --plan-product vmseries1 --plan-publisher paloaltonetworks --admin-username username --generate-ssh-keys --zone 2
For your SSH key you will see the following output.
SSH key files '/home/username/.ssh/id_rsa' and '/home/username/.ssh/id_rsa.pub' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.
When the launch is successful you will see the following output
{
"fqdns": "",
"id": "/subscriptions/xxxxxxxx-4d77-4bb7-b1a6-yyyyy82#####/resourceGroups/jpazpan1/providers/Microsoft.Compute/virtualMachines/jpvmfw1",
"location": "centralus",
"macAddress": "00-0D-3A-92-DE-DC,00-0D-3A-93-38-C1,00-0D-3A-93-3C-22",
"powerState": "VM running",
"privateIpAddress": "10.0.0.4,10.0.1.4,10.0.2.4",
"publicIpAddress": "x.x.x.x",
"resourceGroup": "jpazpan1",
"zones": "2"
}
If you have any issues installing Azure CLI or utilizing your ssh key please see Microsoft Azure documentation as Azure CLI is not supported by Palo Alto Networks Support.