Deploying Paloalto on Azure in HA

Deploying Paloalto on Azure in HA

When the world is taking the cloud first strategy, it is very obvious to see vendors trying to clone their traditional on premise solution, out there in the sky. This article will take you through the high level process of creating a platform on Microsoft Azure cloud and deploying paloalto firewall in a high-availability mode.

What you need

  • Deployment guide from Paloalto.
  • A trial subscription from Microsoft Azure, upgraded to "Pay-as-you-go". This won't cost anything, until the free credit expires. It is noticed, that an Upgradation of the subscription is required, before you could create a paloalto firewall with a valid bundle1 licenses.

Once, you have a trial subscription created (upgraded to Pay-as-you-go) on Microsoft Azure, you can go to Marketplace and search for paloalto networks. Below are the three license options available.

No alt text provided for this image





We selected Bundle1 license, while deploying the paloalto firewall VM from the MS Azure Market place. It takes 5-10 minutes for a VM to be created loaded with respective PANOS. Once the Firewall is ready, you can log on to it from your web browser on it's Public DNS url. The firewall should now have a valid serial number and the licenses applied.

firewall login

In order to create the second firewall, you would need to use template from github, as the Marketplace won't allow to launch another VM firewall in an existing resource group. Even after the template is imported for the secondary firewall, certain variables have to be updated like plan, resource group etc. Once both Firewall's VMs are created, we need to create an additional network interface, so that it could be used for HA2 connection. In regards to IP addressing, the Host VM would need IP addressing, so as the tenant paloalto firewall. This is where, the configuration approach of paloalto firewalls changes in cloud infrastructure. While configuring IP addresses on Paloalto firewall, it is a recommended to do it on the primary firewall only. This is because, as we get the HA up and running, the passive/secondary firewall will automatically get a copy of the configuration from the active/primary firewall.

Virtual machines

HA1 connection can be configured using one more additional interface, but in our case, the management interface has been leveraged for it. Finally, VM plugins on the firewalls are key for the failover to work on Azure cloud.

No alt text provided for this image


Jeegar Jani

Senior Presales & PS Consultant at Redington Gulf

4 年

Hiraman Sharma have you experienced azure making false api calls for failover even when active fw is up and running and results in floating ip getting attached to the passive fw causing the traffic to drop as it routed on the passive fw.

回复

要查看或添加评论,请登录

Hiraman Sharma的更多文章

  • 5 Steps to Summit CISSP , Part II

    5 Steps to Summit CISSP , Part II

    Continuing 5 Steps to Summit CISSP , Part I Camp 2 Yet another splendid achievement. You are growing bolder and…

  • 5 Steps to Summit CISSP , Part I

    5 Steps to Summit CISSP , Part I

    Introduction Do you get uncomfortable even with a thought of picking up the most honored challenge in the world. Well…

    2 条评论
  • Secrets of my Survival

    Secrets of my Survival

    Contents Effects Survival Conclusion Thank you Dear Reader, Thanks for drawing your busy eyes to my article, especially…

    2 条评论
  • Technology demolishing technology

    Technology demolishing technology

    Don't you get nostalgic remembering about the way we used to be bonded with a stationed computer not so long ago. The…

    1 条评论
  • Future Engineers . . . .

    Future Engineers . . . .

    The revolution in cloud computing, SDN/NFV is tingling Network guys to make a timely shift to coding from a…

社区洞察

其他会员也浏览了