I'm going through the process of moving a vm-series gateway into an availability zone in Azure. Unfortunately there is no simple way to do it. I tried to build a zone capable replacement directly from the Marketplace, but kept getting errors. The way i have done it (under guidance from MS support) may not be the best way, but it worked. - You'll want to clone the disk from your existing VM. Before that, you will need to deactivate the Palo Alto license associated with the VM as the new VM will have a different serial. You can activate the license against the new VM later. To clone the existing VM's disk, navigate to the disk itself in Azure portal. There is an option to 'create snapshot'. You may need to stop the machine first before creating a snapshot. Once the snapshot is done, browse to it in the portal. You then have the option to create a disk from the snapshot. That process will allow you to select an availability zone for the new disk to reside in. - You may wish to reuse the network interfaces from your original VM. These can be disconnected from that VM once it is stopped. They can later be re-attached to a new VM - MS talked me through using a bash script within Azure to create a new VM and connect it to the cloned disk. From the bash prompt, make sure you are in the desired subscription first. The script was: az vm create \ --resource-group existing-rg \ --name myfirewall-AZ2 \ --size Standard_DS3_v2 \ --os-type Linux \ --attach-os-disk myfirewall_OsDisk_1 \ --plan-name byol \ --plan-publisher paloaltonetworks \ --plan-product vmseries1 \ --zone 2 \ --location myazureregion \ --nics myfirewall-eth0 Note that the NIC was detached from the original VM. I expect you can add all 3 of the NICs here. I added the other 2 once the machine was built. The machine started successfully and had the config of the original machine. I then had to re-apply the licenses/subscriptions.
... View more