There are 2 options here when you want to service multiple ips on a load balancer:
1) add additional ips to the firewall interface from within the azure portal AND you will have to switch to static on the firewall and manually add the first + additional ips that you want to service (they'll match the ips on the azure portal). dhcp only picks up the first address from the azure side in my experience (this may have changed so please double check).
#1 isn't the best option for ease of management
2) on the load balancer, enable floating ip on the rule and you will see the ip requested by the user come through to the firewall (even when having multiple front-side ips on the load balancer). you can then create corresponding nat and security rules based on that. using this method you can stay with dhcp on the firewall and do not need to add additional virtual ips from the azure portal side, nor on the firewall itself.
#2 is the better way to go.
The UDR is at the subnet level, so all firewalls put into those subnets would behave the same from the routing perspective if they have the same policy and virtual router configuration. I would bootstrap to get the interfaces up and in dhcp mode for both untrust and trust, and possibly the virtual router setup. Then let Panorama push down the policy and other information when the vm registers itself.
The way bootstrapping works within Azure, you could have multiple bootstrapping configuration options available behind different shares on the same disk.
Referring to the solution- "#2 is the better way to go." Can we still go with this solution with below scenario.
Scenario- Active/Active Palo-alto Firewalls without Panorama managed and without HA between firewalls. The firewalls will be independent behind External and Internal Load Balancers.
Can we use floating IP on External Load Balancer to reflect on both Active Firewalls.
Will the Load Balancers still maintain the 5 tuple Hash and send packets to correct firewall of same session.
Because there will be same floating IP on both the Firewalls, how will External LB maintain the hash.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!