DHCP is the way to go. It eases automated deployments and prevents any possible misconfiguration. If you statically assign and it does not match what was assigned on Azure side, the traffic will not flow.
There are 2 options here when you want to service multiple ips on a load balancer:
1) add additional ips to the firewall interface from within the azure portal AND you will have to switch to static on the firewall and manually add the first + additional ips that you want to service (they'll match the ips on the azure portal). dhcp only picks up the first address from the azure side in my experience (this may have changed so please double check).
#1 isn't the best option for ease of management
2) on the load balancer, enable floating ip on the rule and you will see the ip requested by the user come through to the firewall (even when having multiple front-side ips on the load balancer). you can then create corresponding nat and security rules based on that. using this method you can stay with dhcp on the firewall and do not need to add additional virtual ips from the azure portal side, nor on the firewall itself.
#2 is the better way to go.
Would you configure this on Panorama and push to device using templae or just have DHCP configure on local PAN side.
* Can you push routes/interface(dhcp mode) to both devices at once
* If UDR messes up you cannot modify interface/route settings
The UDR is at the subnet level, so all firewalls put into those subnets would behave the same from the routing perspective if they have the same policy and virtual router configuration. I would bootstrap to get the interfaces up and in dhcp mode for both untrust and trust, and possibly the virtual router setup. Then let Panorama push down the policy and other information when the vm registers itself.
The way bootstrapping works within Azure, you could have multiple bootstrapping configuration options available behind different shares on the same disk.
The network interfaces I would add to the bootstrap.xml file. The VR configuration I would let Panorama push, along with the interface management piece if any load balancers are in play, and the larger security policy, etc..
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!