Deploy PA firewall HA in different availability zone in Azure

alextsa · ‎04-10-2021

Hi all

Understand PA HA deployment supported since PAN-OS 9.0, so firewall pair can be deployed in the availability set so they are in different hardware cluster in Azure. But may I know anyone tried to form the HA in different availability zone in the same Azure region? Support or not?

Best regards

Alex Tsang

ssyed · ‎04-12-2021

We recommend deploying firewalls in separate AZs or at least put them into an Availability Set in Azure. HA mode is supported as well but not typically recommended. The load balancer method is recommended. You can see both setups in our reference architecture guide. https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide

JimMcGrady · ‎06-21-2021

From what i can see, the issue is that the VM-series firewall available from Azure Marketplace does not facilitate choosing an Availability Zone. And once the firewall is created, there is no reasonable way to move it into an AZ.

raji_toor · ‎06-21-2021

I would also like to know how to install it as the only method of deployment in Azure I know of is through marketplace..

Or is there some kind of ovf file provided which we can use for installation.

tostern · ‎06-21-2021

Good morning @raji_toor and @JimMcGrady

The Azure Marketplace offering has limited features and you can't deploy two firewalls over the marketplace in a single Ressource Group.

That why we are using Terraform templates or ARM templates. Below are the link to the ARM Templates with the examples how to use it.

ARM Templates: https://github.com/wwce/azure-arm

Terraform provider: https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/azurerm/latest

How to setup HA in Azure: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-...

i hope i could help you.

Regards,

Torsten

"With unity we can do great things"

raji_toor · ‎06-22-2021

@tostern Thanks. But PA needs to better their documentation regarding Azure deployments. While the Github mentions 3 models (Shared, Scaled and Dedicated). There is little explanation for each them and also there is no mention of them in the design guide. I understand and have tested implementation of both options with HA/without HA(load balancer) options. From what I understand the template I will use is shared model here and Transit VNet model (Common Firewall Option).

And I had got it working in HA without ARM template for those who are not comfortable using it. Install in dedicated resource group and then move the resources to another resource group where you want both firewalls to be.

raji_toor · ‎06-22-2021

And interestingly we get the pricing for a 2vCPU deployment but azure VM does not support more than 2 NICS, if i try to deploy with arm template a VM with 2 vCPU.

US_SOC_Analyst · ‎06-22-2021

Great to hear the recommended architecture.

What's the reason you say HA is not recommended?

And why do you recommend load balancer over floating IP?

raji_toor · ‎06-22-2021

@US_SOC_Analyst because of 3-4 minutes downtime when doing failover, with failover its alomost instant..no session persistence with either.

Also have to maintain a servie principal which has to be renewed every 2 years

US_SOC_Analyst · ‎06-22-2021

Thank you for your response.

>No session persistence with either.

Does this mean if we have HA configured firewall, the session is not shared between the HA pair?

That sounds pretty weird, then what's that HA configuration for?

Network Security

Cloud Security

Security Operations

Deploy PA firewall HA in different availability zone in Azure

Deploy PA firewall HA in different availability zone in Azure

Show your appreciation!