I am trying to deploy a front end load balancer, 2 x VM-300 azure firewall in the middle and a back end load balancer.
I am having trouble with configuring the UDR (routing) to allow access from the Azure subnets out to the internet and vice versa.
The internal load balancer is doing HA load balancing for the firewalls and in the firewall logs I can see traffic on the for the various subnet traffic.
I have static routes in place on the azure VM-300 firewall directing traffic from RFC1918 back to the internal load balancer address and this is working.
But im not sure if I need a static default route on the palo altos to direct traffic to the front end load balancer or to the internet directly.
Or how does the routing work for Internet to our internal networks (DMZ specifically) if we are going via a public load balancer. Do i need an Application gateway in azure? as this will only load balance for HTTP or HTTPS
Any help is greatly appreciated.
Solved! Go to Solution.
I have an ARM template that will create this entire environment for you. It can be used as a great learning tool since it includes the UDRs and other pieces necessary to make traffic flow work, in addition to the firewall policy that you'll need as a starting point.
This will eventually be moved to the corporate github, but in the meantime feel free to use. It might help answer your questions and allow you to see the pieces working together.
awesome!! many thanks for this, im going to give this a go and report back how i get on.
hopefully i can take the lessons learned from this and move it to my live environment.
thanks again for this.
We are in Azure Government and the standard load balancer SKU is not available as of yet so we only have the basic load balancer at our disposal at this time (looks like an July-Aug 2018 ETA for standard lb to be avaiable in Azure Gov) - what are our options if we only have the basic load balancer? Our desire is also to have to have a pair of VM-300 in an availabilty set in a load balancer sandwhich and be able to load balance ALL traffic from multipe vnets to go through the firewalls.
I have same issue and have same design in Azure Government.
Other than the basic LB issue, how did you solve the avaiablity set? Are you able to deploy the VM-300s on an availabilty set. I heard that there is no availability set on Azure Government. Standard Avset ARM template is failing run on Azure Government.
We also have a problem with the availability sets - there's no options to add the Palo Altos to an availability set. So we have 2 problems: the availability set and the load balancer sku.
I've opened a case with MS support about the availability set in Gov and there reply was "
"I did test the deployment in both environments using the same Marketplace image and was unfortunately unable to complete the Palo Alto deployment using Availability Sets. This limitation is on the Image itself and not the environment."
We are also working with Palo Alto directly to get answers/options for us.
The ARM templates also does not work 100% for us, it can create some of the structure but it's not fully successful so we are building the infrastrucutre manually - which is not bad but just running into issues with Gov limitations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!