Cloud NGFW for Azure
Cloud NGFW for Azure Resiliency and Scalability
Table of Contents
Cloud NGFW for Azure Resiliency and Scalability
Cloud NGFW for Azure offers a flexible, automated firewall that scales on-demand with
your VNet and Virtual WAN traffic, easily handling unpredictable throughput
needs.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Cloud NGFW for Azure is a regional service similar to other Azure
zone-redundant services. This service is delivered on the Azure platform to protect your
Azure Virtual Network (VNet), Virtual WAN (VWAN) Hub, Branch, VPN, and ExpressRoute
traffic.
The Cloud NGFW resource provides next-generation firewall capabilities without
requiring the management of underlying infrastructure. This resource has built-in
resiliency, scalability, and life-cycle management. A Cloud NGFW resource is deployed
either into a Hub VNet or a VWAN Hub and uses the underlying Azure VNet infrastructure
to inspect the traffic. Under the hood, each Cloud NGFW resource includes a dedicated
pair of Azure load balancers and a dedicated Virtual Machine Scale Set (VMSS) of Palo Alto
Networks Security Processing VM instances. The Security Processing VM instances
are the core components of the Palo Alto Networks Cloud NGFW for Azure, hosting the Palo
Alto Networks software that performs the Next-Generation Firewall (NGFW)
functions.
Built-in Scalability
The Cloud NGFW for Azure resource maintains its uptime based on its built-in elastic
scalability model, which dynamically scales with your VNet and Virtual WAN traffic
to meet unpredictable throughput demands.
Aggressive Scale-Out
The Cloud NGFW resource scales out by adding more Security Processing VM
instances when the average of any single scaling dimension reaches a 40% threshold.
This aggressive approach ensures the service can quickly handle sudden increases in
traffic volume and maintain its uptime and performance.
Conservative Scale-In
The Cloud NGFW resource scales in by removing Security Processing VM instances only
when the average of each scaling dimension reaches a 20% threshold. This
conservative approach prevents the service from prematurely removing instances
during minor lulls in traffic, which could cause performance issues if traffic
suddenly increases again. It ensures a stable and consistent level of
performance.
The Cloud NGFW resource leverages its built-in high availability and scales
with your traffic based on multiple dimensions and thresholds as stated below:
| Dimension | Default Scale-Out Threshold (for 5 min) | Default Scale-In Threshold (for 8 hours) |
|---|---|---|
| CPU Utilization | 40% | 20% |
| Session Utilization | 40% | 20% |
| SSL Proxy Session Utilization | 40% | 20% |
| Session Throughput (Kbps) | 40% of minimum capacity | 20% of the minimum capacity |
| Used SNAT Ports | 40% of available ports per Security Processing Node | 20% of the available ports per Security Processing Node |
Built-in Resiliency
As discussed in the disaster recovery guide, Palo Alto
Networks has built-in resilience to recover from Security Processing VM failures and
AWS Availability zones failures. Cloud NGFW maintains its uptime based on its built-in resiliency
model.
Resiliency against VM Failures
Cloud NGFW resource ensures high availability by maintaining a minimum of
three Security Processing VM instances running simultaneously in a
dedicated Virtual Machine Scale Set (VMSS).
- Failure Detection: The Azure Load Balancer(s) included in the Cloud NGFW resource use fine-grained health checks to detect faults in a Security Processing VM instance.
- Automatic Recovery: Upon detection of a failure, Cloud NGFW immediately replaces the faulty instance with a new one. Since the recovery heuristic is built into the product and does not require any action from your end, Palo Alto Networks will not notify you about this event.
Resiliency across availability zones
The Cloud NGFW resource offers built-in resiliency across Azure availability
zones in an Azure region by utilizing a distinct Virtual Machine Scale Set
(VMSS) that distributes security processing VMs across availability zones within a
given region.
- Limited Blast Radius: If an entire Availability Zone fails, only the VM-Series instances in that specific zone are affected.
- Operation Continuity: The Cloud NGFW resource remains intact and continues to protect traffic using the Security Processing VMs located in the other operational availability zones.
- Automatic Recovery: When the failed Availability Zone comes back online, the Cloud NGFW resource automatically detects the change and brings the instances in that zone back up. Since the recovery heuristic is built into the product and does not require any action from your end, Palo Alto Networks will not notify you about this event.
Resiliency across Azure Regions
As you deploy your applications across multiple Azure regions to service requests in
an active-active manner, you also deploy the Palo Alto Networks Cloud NGFW
resources, with built-in availability, resiliency, and life-cycle management, in
each region to secure the application traffic.
- Regional Failure: In the rare event of a complete Azure regional failure, both the application workloads and the Cloud NGFW resource in that region will be down. There is no traffic to secure in the region during this outage.
- Multi-Region Continuity: Application workloads and the corresponding Cloud NGFW services in other, unaffected regions will continue to function and secure traffic.