About jmeurer

We usually design away from a zone-based architecture and leverage the Azure Load Balancer with a 1 arm design to achieve fault tolerance and scale.  It does move you to a subnet based policy design which is just as secure given Azure inherent capabilities to prevent spoofing.  Please refer to our reference architecture for more details. https://www.paloaltonetworks.com/resources/reference-architectures/azure ... View more

That template stack is TAC supported.  Please open a case with Support to investigate further.  That error on its own does not provide enough information to diagnose.  A few questions to consider.   Are there any other errors earlier in the CFT?  Does your account have permissions to create Lambda Functions? Have the zip files been uploaded to your S3 bucket and did you overwrite the default bucket in the template creation? ... View more

The load balancer is typically not an option for VPN termination b/c there is no persistence as the port moves through phases of negotiation.  I typically recommend that you terminate the VPN on the Azure VGW and use our reference architecture method of routing through the firewalls from the gateway subnet.  More information can be found here. https://www.paloaltonetworks.com/resources/reference-architectures/azure   ... View more

You would typically do one or the other.  HA is use cases where you are routing through firewalls or firewalls in a pool behind a load balancer in an application hosting scenario.  There are also multi-VPC designs using a TGW.  Please have a look at the Reference Architecture for some additional information. https://www.paloaltonetworks.com/resources/reference-architectures/aws ... View more

In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure.  This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table.  Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer. https://www.paloaltonetworks.com/resources/reference-architectures/azure ... View more

Please switch the deployment guide and reference architecture here.  https://www.paloaltonetworks.com/resources/reference-architectures/aws     ... View more

at this point, it might be good to get a TAC case open.  I have not tried Transit VPC with 9.1.   I would be curious, if you add a static route in the vpc pointing to the vgw, does the traffic flow? ... View more

Do you have an existing 0/0 static in the VPC route table?  We will not override that route. ... View more

There is an additional step necessary to export the 0/0 route.  Please have a look at this article.   https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltUCAS ... View more

The design on page 12 of that guide utilizes a separate set of firewalls in the spoke VPC that are dedicated to the inbound traffic for only that spoke VPC.  This design is different than bringing inbound traffic in through the Transit VPC.  In either scenario, the EIP/FQDN is assigned to the public-facing load balancer, it is not released if a link is down.  The design you are looking for is not in that guide.  It would be best communicated through your Systems Engineer. ... View more

There is nothing public-facing that directly lines up.  This is more of a blending of a couple of designs.  It would be beneficial to engage with your account team to have a more tailored conversation to your specific needs. ... View more

We would typically recommend a different set of firewalls for inbound traffic outside of the Transit Firewalls.  They would then either sit in the VPC with the application or connected to the VPCs via a peering link.  This is to alleviate the fact that Transit VPC firewalls are active/passive in terms of routing load and an inbound design is active/active resulting in a possible overloaded firewall.   Knowing that this is not always feasible.  You can use a public-facing ALB/NLB in front of the firewalls and then SNAT to address that has been distributed via BGP to the spokes.  This would either be one of the Ethernet addresses or a loopback.  Do not SNAT to the tunnel address as they are not fault-tolerant on a tunnel failure. ... View more