Deploy PA firewall HA in different availability zone in Azure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Deploy PA firewall HA in different availability zone in Azure

L1 Bithead

Hi all

 

Understand PA HA deployment supported since PAN-OS 9.0, so firewall pair can be deployed in the availability set so they are in different hardware cluster in Azure. But may I know anyone tried to form the HA in different availability zone in the same Azure region? Support or not?

 

Best regards

 

Alex Tsang 

18 REPLIES 18

L4 Transporter

We recommend deploying firewalls in separate AZs or at least put them into an Availability Set in Azure.  HA mode is supported as well but not typically recommended.  The load balancer method is recommended.  You can see both setups in our reference architecture guide.  https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide

L4 Transporter

From what i can see, the issue is that the VM-series firewall available from Azure Marketplace does not facilitate choosing an Availability Zone. And once the firewall is created, there is no reasonable way to move it into an AZ.

I would also like to know how to install it as the only method of deployment in Azure I know of is through marketplace..

Or is there some kind of ovf file provided which we can use for installation.

L3 Networker

Good morning @raji_toor and @JimMcGrady 

 

The Azure Marketplace offering has limited features and you can't deploy two firewalls over the marketplace in a single Ressource Group.

 

That why we are using Terraform templates or ARM templates. Below are the link to the ARM Templates with the examples how to use it.

 

ARM Templates: https://github.com/wwce/azure-arm

Terraform provider: https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/azurerm/latest

 

How to setup HA in Azure: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-...

 

i hope i could help you.

 

Regards,

Torsten

"With unity we can do great things"

@tostern Thanks. But PA needs to better their documentation regarding Azure deployments. While the Github mentions 3 models (Shared, Scaled and Dedicated). There is little explanation for each them and also there is no mention of them in the design guide. I understand and have tested implementation of both options with HA/without HA(load balancer) options. From what I understand the template I will use is shared model here and Transit VNet model (Common Firewall Option). 

And I had got it working in HA without ARM template for those who are not comfortable using it. Install in dedicated resource group and then move the resources to another resource group where you want both firewalls to be.

 

And interestingly we get the pricing for a 2vCPU deployment but azure VM does not support more than 2 NICS, if i try to deploy with arm template a VM with 2 vCPU.

Great to hear the recommended architecture.

What's the reason you say HA is not recommended?

And why do you recommend load balancer over floating IP?

@US_SOC_Analyst  because of 3-4 minutes downtime when doing failover, with failover its alomost instant..no session persistence with either.

Also have to maintain a servie principal which has to be renewed every 2 years

Thank you for your response.

>No session persistence with either.

Does this mean if we have HA configured firewall, the session is not shared between the HA pair?

That sounds pretty weird, then what's that HA configuration for?

Sessions are synced but if you failover from active to passive it takes 3-4 mins for other firewall to become active and the network remains down all this time. After this much time session persistence is pointless. Its a limitation of Azure that HA can't work the way it would on physical network.  

L3 Networker

Hi @US_SOC_Analyst,

 

you can find the the reference architecture here.

PANW does not recommend native HA in because of the long failover time as @raji_toor already described. With LB sandwich you have better resilience.

 

Regards,

Torsten 

"With unity we can do great things"

@raji_toor @tostern 

Thank you for the clarification.

Then, is HA recommended when we use a load balancer for failover?

 

@US_SOC_Analyst no you do not need to use HA for LB option. LB will itself divert all traffic to the other PA when one becomes unavailable.

@raji_toor Thank you. Sorry I was mixed up. Yeah, the LB will divert the traffic and a new session will be created anyway when the traffic is sent to a different firewall.

  • 17219 Views
  • 18 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!