Hi All, im trying to spec up a resilient HA solution for the VM-300 series PAYG bundle 1 option within azure, and just need the following clarified:-
- if i were to purchase the VM-300 option 1 bundle (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Pla...) does this mean i also need to purchase virtual machines for them to run on within azure, or does the bundle include VMs to run on
-if i need to purchase VMs should i go for the linux standard VM builds, or memory optimised, or CPU optimised
- regarding HA and resiliency, will i need to purchase 2 x VM-300 firewalls with option 1 bundle in order to provide HA i.e. in the event one VM-300 fails or needs restarting i need a way to ensure traffic keeps flowing, im getting confused as it appears there is some option for Availability sets within Azure that perform some similar function? or is it that i would have to purchase 2 VM-300s and place them in this availability set to achieve this.
I think i've gone a bit documentation blind, and just need a bit of a steer.
The VMs are part of the budle so no need to buy additional VMs
Just note that we do not support PAN-OS stateful HA in Azure. You can deploy firewalls behind a load balancer and that will give you resiliency.
Availiability sets are more for when you want to account for planned and unplanned outages. Such as patching of the system, power failure etc.
I deally you will have your VMs in an avaialbility set and behind a load balancer.
Hi Niyengar, thanks for the update, thats great news that the VMs are included in the bundle, but i was confused as to why Palo Alto gave sizing info for virtual machines, or is that for virtual firewalls that are not bought as part of an azure subscription.
Does Azure then choose the size of the virtual machine when we purchase the VM-300 and bundle option?
Regarding the HA query, i did see that there was no HA for PAN-OS on azure, so how would i achieve resiliency to ensure that if one firewall fails (or needs rebooting) that i can continue to have security enforced through the palo alto firewalls, are you saying that there is no clustering or active/standby setup for palo altos in azure?
I am going to be using a load balancer that sits in front of the firewalls, but need to ensure resiliency in the event of failure of one of the firewalls.
many thanks for your assistance, really appreciate it
There simply is no HA however resiliency can be achieved by Loadbalancing across 2 independant Active Active firewalls when they are apart of an availability set. This is not the same as traditional HA however it does have resiliency. However there are complexities putting load balancing in front of firewalls such as NAT'ing.
1. If you are using PAN-OS 8.1 you can leverage our enhanced bootstrapping for Azure. This makes bootstrapping easy
2. If you have multiple firewalls in a backend pool of a loadbalancer your health probe will ensure that traffic is only sent to the active firewall
3. Applications today are written to re-establish connectivity at the event of a connection lost for long lived sessions
4. Even with HA in the cloud all platforms will typically have a 1-1.5 minute delay during failover and during that time sessions need to be restablished by the application either way.
So i am not against stateful HA but stateful HA is a legacy way of thinking that comes from the physical architecture thought process and not the cloud thought process.
Your availability set will ensure availability with the use of Update Domains and Fault Domains. That firewalls in the backend pool will need to go into an availability set for to help with infrastructure and natural disaster faults.
Multiple firewalls in the backend pool and health probes will ensure availability due to any "software" issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!