- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-10-2021 01:14 AM
Hi all
Understand PA HA deployment supported since PAN-OS 9.0, so firewall pair can be deployed in the availability set so they are in different hardware cluster in Azure. But may I know anyone tried to form the HA in different availability zone in the same Azure region? Support or not?
Best regards
Alex Tsang
06-23-2021 05:50 PM
I'm going through the process of moving a vm-series gateway into an availability zone in Azure. Unfortunately there is no simple way to do it. I tried to build a zone capable replacement directly from the Marketplace, but kept getting errors.
The way i have done it (under guidance from MS support) may not be the best way, but it worked.
- You'll want to clone the disk from your existing VM. Before that, you will need to deactivate the Palo Alto license associated with the VM as the new VM will have a different serial. You can activate the license against the new VM later.
To clone the existing VM's disk, navigate to the disk itself in Azure portal. There is an option to 'create snapshot'. You may need to stop the machine first before creating a snapshot. Once the snapshot is done, browse to it in the portal. You then have the option to create a disk from the snapshot. That process will allow you to select an availability zone for the new disk to reside in.
- You may wish to reuse the network interfaces from your original VM. These can be disconnected from that VM once it is stopped. They can later be re-attached to a new VM
- MS talked me through using a bash script within Azure to create a new VM and connect it to the cloned disk. From the bash prompt, make sure you are in the desired subscription first. The script was:
az vm create \
--resource-group existing-rg \
--name myfirewall-AZ2 \
--size Standard_DS3_v2 \
--os-type Linux \
--attach-os-disk myfirewall_OsDisk_1 \
--plan-name byol \
--plan-publisher paloaltonetworks \
--plan-product vmseries1 \
--zone 2 \
--location myazureregion \
--nics myfirewall-eth0
Note that the NIC was detached from the original VM. I expect you can add all 3 of the NICs here. I added the other 2 once the machine was built.
The machine started successfully and had the config of the original machine. I then had to re-apply the licenses/subscriptions.
09-06-2022 06:17 AM
Hello @raji_toor ,
Very interesting that you were able to deploy using Load balancer. Can you please share some document where we can point traffic from load balancer to both the firewalls in different zones.
As the firewall deployment does not give a zone option to deploy
09-07-2022 12:15 AM
Hi JimMcGrady,
can you please help me find the installtion guide for PaloAlto firewalls with Azure Availability Zone.
I tried to find it but no luck.
thanks in advance.
04-18-2023 02:28 PM
Anything more recent for deploying into an existing setup? It's frustrating that at this point you can't specify an availability zone via the marketplace deployment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!