I am deploying an Active/Passive Palo Alto HA VM's on Azure with an external and internal loadbalancer topology (picture below), I know that the NAT is done by the public Loadbalancer so no need for public IP address on the VM's interfaces so need for public IP on interfaces for this purpose, but i need to set a VPN IPsec connections between my PA-VM's and other sites, so how would I configure the VPN IPsec tunnels, should I put the Public IP of the loadBalancer on the peer IP or the private IP of the VM's or should I literally configure my PA-VM's with Public IP on external interfaces.
I am really blocked with this point, if anyone could help i will be really grateful.
Thank you in advance
You can use the private ip address on the firewall itself but make sure you use local identifier and remote identifier option on both sides of the tunnel to make this work. (imagine if your side ip is dynamic ip then how do you configure, the same way)
If you don't want to use a dynamic configuration, which is by far the easiest, I would recommend that you setup a public IP directly on the PAs and not go through the load balancer. While it will work, it'll take a bit of tweaking to ensure that the load balancer isn't causing any issues since it'll be considered a long running session.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!