Deploy PA firewall HA in different availability zone in Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Deploy PA firewall HA in different availability zone in Azure

L1 Bithead

Hi all

 

Understand PA HA deployment supported since PAN-OS 9.0, so firewall pair can be deployed in the availability set so they are in different hardware cluster in Azure. But may I know anyone tried to form the HA in different availability zone in the same Azure region? Support or not?

 

Best regards

 

Alex Tsang 

18 REPLIES 18

I'm going through the process of moving a vm-series gateway into an availability zone in Azure.  Unfortunately there is no simple way to do it. I tried to build a zone capable replacement directly from the Marketplace, but kept getting errors.

The way i have done it (under guidance from MS support) may not be the best way, but it worked.

 

- You'll want to clone the disk from your existing VM. Before that, you will need to deactivate the Palo Alto license associated with the VM as the new VM will have a different serial. You can activate the license against the new VM later.

To clone the existing VM's disk, navigate to the disk itself in Azure portal. There is an option to 'create snapshot'. You may need to stop the machine first before creating a snapshot.  Once the snapshot is done, browse to it in the portal.  You then have the option to create a disk from the snapshot.  That process will allow you to select an availability zone for the new disk to reside in.

 

- You may wish to reuse the network interfaces from your original VM. These can be disconnected from that VM once it is stopped. They can later be re-attached to a new VM

 

- MS talked me through using a bash script within Azure to create a new VM and connect it to the cloned disk.  From the bash prompt, make sure you are in the desired subscription first. The script was:

 

az vm create \

  --resource-group existing-rg \

  --name myfirewall-AZ2 \

  --size Standard_DS3_v2 \

  --os-type Linux \

  --attach-os-disk myfirewall_OsDisk_1 \

  --plan-name byol \

  --plan-publisher paloaltonetworks \

  --plan-product vmseries1 \

  --zone 2 \

  --location myazureregion \

  --nics myfirewall-eth0

 

Note that the NIC was detached from the original VM. I expect you can add all 3 of the NICs here.  I added the other 2 once the machine was built.

 

The machine started successfully and had the config of the original machine. I then had to re-apply the licenses/subscriptions.

Hello @raji_toor ,

 

Very interesting that you were able to deploy using Load balancer. Can you please share some document where we can point traffic from load balancer to both the firewalls in different zones.

As the firewall deployment does not give a zone option to deploy

Hi JimMcGrady,

 

can you please help me find the installtion guide for PaloAlto firewalls with Azure Availability Zone. 

 

I tried to find it but no luck.

 

thanks in advance.

 

 

Anything more recent for deploying into an existing setup?  It's frustrating that at this point you can't specify an availability zone via the marketplace deployment.  

  • 14100 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!