About jmeurer

The VR limit per license type can be viewed here. https://www.paloaltonetworks.com/products/product-selection.html#   The limit on a VM-300 is 10 VRs.  With that said, you generally shouldn't need more than two.  You should route all internal traffic through the same interface with the HA Port LB.  If you try to Zone Policy that traffic, you will need SNAT.  Azure maintains persistence on a 1-arm routing mode only.  We touch on this in the East-West component of the reference architecture. https://www.paloaltonetworks.com/resources/reference-architectures/azure   ... View more

We usually design away from a zone-based architecture and leverage the Azure Load Balancer with a 1 arm design to achieve fault tolerance and scale.  It does move you to a subnet based policy design which is just as secure given Azure inherent capabilities to prevent spoofing.  Please refer to our reference architecture for more details. https://www.paloaltonetworks.com/resources/reference-architectures/azure ... View more

That template stack is TAC supported.  Please open a case with Support to investigate further.  That error on its own does not provide enough information to diagnose.  A few questions to consider.   Are there any other errors earlier in the CFT?  Does your account have permissions to create Lambda Functions? Have the zip files been uploaded to your S3 bucket and did you overwrite the default bucket in the template creation? ... View more

The load balancer is typically not an option for VPN termination b/c there is no persistence as the port moves through phases of negotiation.  I typically recommend that you terminate the VPN on the Azure VGW and use our reference architecture method of routing through the firewalls from the gateway subnet.  More information can be found here. https://www.paloaltonetworks.com/resources/reference-architectures/azure   ... View more

You would typically do one or the other.  HA is use cases where you are routing through firewalls or firewalls in a pool behind a load balancer in an application hosting scenario.  There are also multi-VPC designs using a TGW.  Please have a look at the Reference Architecture for some additional information. https://www.paloaltonetworks.com/resources/reference-architectures/aws ... View more

In our reference architecture and companion deployment guide, we do not typically recommend terminating the VPNs on the Virtual Appliance running in Azure.  This is b/c you will need to use SNAT to enforce return path routing through the proper firewall to prevent asymmetric routing as we cannot extend BGP from the firewalls to the Azure Route Table.  Instead, you may consider terminating the VPN on the Azure VPN Gateway and use our backhaul routing design to force all traffic to and from the Gateway subnet through the firewall utilizing UDRs and the Load Balancer. https://www.paloaltonetworks.com/resources/reference-architectures/azure ... View more

Please switch the deployment guide and reference architecture here.  https://www.paloaltonetworks.com/resources/reference-architectures/aws     ... View more

The design on page 12 of that guide utilizes a separate set of firewalls in the spoke VPC that are dedicated to the inbound traffic for only that spoke VPC.  This design is different than bringing inbound traffic in through the Transit VPC.  In either scenario, the EIP/FQDN is assigned to the public-facing load balancer, it is not released if a link is down.  The design you are looking for is not in that guide.  It would be best communicated through your Systems Engineer. ... View more

There is nothing public-facing that directly lines up.  This is more of a blending of a couple of designs.  It would be beneficial to engage with your account team to have a more tailored conversation to your specific needs. ... View more

We would typically recommend a different set of firewalls for inbound traffic outside of the Transit Firewalls.  They would then either sit in the VPC with the application or connected to the VPCs via a peering link.  This is to alleviate the fact that Transit VPC firewalls are active/passive in terms of routing load and an inbound design is active/active resulting in a possible overloaded firewall.   Knowing that this is not always feasible.  You can use a public-facing ALB/NLB in front of the firewalls and then SNAT to address that has been distributed via BGP to the spokes.  This would either be one of the Ethernet addresses or a loopback.  Do not SNAT to the tunnel address as they are not fault-tolerant on a tunnel failure. ... View more

Satish, In reviewing this and your other post which seems to be somewhat related, I would encourage you to engage your Palo Alto Networks SE.  We have resources that can assist with straightening this out.  Your external ALB should have a listener on the proper app port such as 443 and the target group mapping is port 15000 which the firewall is listening on.  The NAT rule on the firewall will then have original source port of 15000 and a destination NAT of the internal ALB listener. ... View more

Are you using FQDN DNAT objects for NLB and ALB?  ALB IP addresses change more frequently which is why I mention the static configuration of the DNS servers.  Feel free to post your Route Table from the firewall for review.     ... View more

Watch your routes on the firewall.  The ALB fires its health probes cross zone.  If you are using DHCP on your interfaces, ensure that only your Untrust interface is configured to import the Default route.  You will then want to put a static route for any internal subnets that are not directly connected to your Trust interface subnet pointing to the first IP of your trust subnet.   Additionally, change your management interface a static DNS server set to the second IP address of the VPC CIDR.  We had an issue in older versions of 8.1 where we were not importing the DHCP assigned DNS server. ... View more

I would double check that the IAM role is properly configured and assigned to the firewall.  Additionally, ssh into the firewall and run the following commands for additional information regarding what may have failed.   show   system   bootstrap   status debug logview component vm_install_media ... View more

Assuming your SNAT/DNAT rules are correct, routes in the firewall send the traffic through proper interface to get to the internal site, Azure route tables and NSGs all correct, I believe you are at the point of reaching out to you Account SE and Support for further eyes on console diagnostics. ... View more

Are you seeing the Health probe traffic?  Azure's LB does not easily report pool member status, you have to go to Metrics.  The easiest way to determine if the Health Probes are working is to ensure you see the traffic in the FW Monitor/Session Browser and ensure it is completing.   ... View more