VM-300 in Azure sizing and resiliency

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VM-300 in Azure sizing and resiliency

L1 Bithead

Hi All, im trying to spec up a resilient HA solution for the VM-300 series PAYG bundle 1 option within azure, and just need the following clarified:-

- if i were to purchase the VM-300 option 1 bundle (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Pla...) does this mean i also need to purchase virtual machines for them to run on within azure, or does the bundle include VMs to run on

-if i need to purchase VMs should i go for the linux standard VM builds, or memory optimised, or CPU optimised

 

- regarding HA and resiliency, will i need to purchase 2 x VM-300 firewalls with option 1 bundle in order to provide HA i.e. in the event one VM-300 fails or needs restarting i need a way to ensure traffic keeps flowing, im getting confused as it appears there is some option for Availability sets within Azure that perform some similar function? or is it that i would have to purchase 2 VM-300s and place them in this availability set to achieve this.

 

I think i've gone a bit documentation blind, and just need a bit of a steer.

 

many thanks

 

Taib.

5 REPLIES 5

L2 Linker

The VMs are part of the budle so no need to buy additional VMs

 

Just note that we do not support PAN-OS stateful HA in Azure. You can deploy firewalls behind a load balancer and that will give you resiliency.

 

Availiability sets are more for when you want to account for planned and unplanned outages. Such as patching of the system, power failure etc. 

 

I deally you will have your VMs in an avaialbility set and behind a load balancer.

Hi Niyengar, thanks for the update, thats great news that the VMs are included in the bundle, but i was confused as to why Palo Alto gave sizing info for virtual machines, or is that for virtual firewalls that are not bought as part of an azure subscription.

Does Azure then choose the size of the virtual machine when we purchase the VM-300 and bundle option?

 

Regarding the HA query, i did see that there was no HA for PAN-OS on azure, so how would i achieve resiliency to ensure that if one firewall fails (or needs rebooting) that i can continue to have security enforced through the palo alto firewalls, are you saying that there is no clustering or active/standby setup for palo altos in azure?

 

I am going to be using a load balancer that sits in front of the firewalls, but need to ensure resiliency in the event of failure of one of the firewalls.

 

many thanks for your assistance, really appreciate it

 

Taib.

There simply is no HA however resiliency can be achieved by Loadbalancing across 2 independant Active Active firewalls when they are apart of an availability set. This is not the same as traditional HA however it does have resiliency. However there are complexities putting load balancing in front of firewalls such as NAT'ing.

1. If you are using PAN-OS 8.1 you can leverage our enhanced bootstrapping for Azure. This makes bootstrapping easy

2. If you have multiple firewalls in a backend pool of a loadbalancer your health probe will ensure that traffic is only sent to the active firewall

3. Applications today are written to re-establish connectivity at the event of a connection lost for long lived sessions

4. Even with HA in the cloud all platforms will typically have a 1-1.5 minute delay during failover and during that time sessions need to be restablished by the application either way. 

 

So i am not against stateful HA but stateful HA is a legacy way of thinking that comes from the physical architecture thought process and not the cloud thought process. 

 

Your availability set will ensure availability with the use of Update Domains and Fault Domains. That firewalls in the backend pool will need to go into an availability set for to help with infrastructure and natural disaster faults. 

Multiple firewalls in the backend pool and health probes will ensure availability due to any "software" issues. 

To add to my post last night [PDT] here is a link to information regarding High Availability in AWS and Azure

 

High Availability Considerations on AWS and Azure

https://live.paloaltonetworks.com/t5/AWS-Azure-Articles/High-Availability-Considerations-on-AWS-and-...

 

 

  • 4162 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!