Palo alto Active/passive HA on azure with IPsec VPN tunnel

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo alto Active/passive HA on azure with IPsec VPN tunnel

L0 Member



I am deploying an Active/Passive Palo Alto HA VM's on Azure with an external and internal loadbalancer topology (picture below), I know that the NAT is done by the public Loadbalancer so no need for public IP address on the VM's interfaces so need for public IP on interfaces for this purpose, but i need to set a VPN IPsec connections between my PA-VM's and other sites, so how would I configure the VPN IPsec tunnels, should I put the Public IP of the loadBalancer on the peer IP or the private IP of the VM's or should I literally configure my PA-VM's with Public IP on external interfaces.


I am really blocked with this point, if anyone could help i will be really grateful.


Question forum palo ip public optimized.PNGThank you in advance




L2 Linker



You can use the private ip address on the firewall itself but make sure you use local identifier and remote identifier option on both sides of the tunnel to make this work. (imagine if your side ip is dynamic ip then how do you configure, the same way)





If you don't want to use a dynamic configuration, which is by far the easiest, I would recommend that you setup a public IP directly on the PAs and not go through the load balancer. While it will work, it'll take a bit of tweaking to ensure that the load balancer isn't causing any issues since it'll be considered a long running session. 



Did you manage to get this problem resolved? I am going through a similar project at the moment and would appreciate any feedback that you may have.



L1 Bithead

@louey11 Did you find the solution as it is a very old thread. If yes, can you please share any suggestions or documentations for using this setup of having external load balancer in front of PA VMs which are in Active/Passive mode. I am still looking for a solution on this. Any help would be appreciated @BPry .

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!