Auto Scaling on Azure - Components and Planning Checklist
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
-
- Activate Credits
- Transfer Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- Use Panorama-Based Software Firewall License Management
- What Happens When Licenses Expire?
- Install a Device Certificate on the VM-Series Firewall
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Add a New Host to Your NSX-V Deployment
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on GCP
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Locate VM-Series Firewall Images in the GCP Marketplace
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Auto Scaling on Azure - Components and Planning Checklist
Learn about the components that the auto scaling templates
deploy and identify what you need before you begin.
To deploy VM-Series firewalls in an auto
scaling set up where the firewalls can scale with your application
workloads and ensure high availability for your services, you need
to understand the following concepts:
- Virtual Machine Scale Sets (VMSS)— A VMSS is a group of individual virtual machines (VMs) within the Microsoft Azure public cloud that administrators can configure and manage as a single unit. The firewall templates provided for auto scaling, create and manage a group of identical, load balanced VM-Series firewalls that are scaled up or down based on custom metrics published by the firewalls to Azure Application Insights. The scaling-in and scaling out operation can be based on configurable thresholds.
- Azure Application Insights—The VM-Series firewall on Azure can publish custom PAN-OS metrics natively to Azure Application Insights that you can use to monitor the firewalls directly from the Azure portal. These metrics allow you to assess performance and usage patterns that you can use to set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls. See Custom PAN-OS Metrics Published for Monitoring for a description on the metrics that are available.
- Panorama, Panorama plugin for Azure, and VM-Series plugin—Panorama is required to enable centralized management of the auto scaling VM-Series firewalls that are deployed in the VMSS. The Azure plugin on Panorama enables you to set up communication between Panorama and the resources within your Azure subscription. The plugin takes care of the interactions required to license, bootstrap and configure the VM-Series firewalls using device groups and template stacks on Panorama. It also programs the Azure static routes and the Azure Application Insights Instrumentation Key to the firewalls in the VMSS.You also need to install the VM-Series plugin on Panorama, if you are managing firewalls running PAN-OS 9.0.0 or later. Panorama requires the VM-Series plugin to push the Azure Application Insights instrumentation key to managed firewalls. On earlier versions of PAN-OS, the VM-Series plugin is not relevant as the VM-Series plugin was introduced in PAN-OS 9.0.0. This plugin enables publishing custom metrics to cloud monitoring services (such as Azure Application Insights), bootstrapping, configuring user credential provisioning information from public cloud environments, and seamless updates for cloud libraries or agents on PAN-OS.
- Azure Functions and Service Bus—Azure Service Bus enables message-based communication between the Azure plugin on Panorama and the Azure resources. The Azure Function is a publicly accessible webhook that publishes messages to the message queue. When you configure the Azure plugin to subscribe to that queue, it can read messages to learn when a new application template is deployed (as long as it has the Panorama managed tag) and when a firewall was scaled in events so that it can contact the Palo Alto Networks licensing server and deactivate the license. The Panorama plugin and the Azure function use a Shared Access Signature (SAS) token to authenticate to the Service Bus and write or read messages from the queue.
- Templates—For deploying the auto scaling VM-Series firewalls to secure your application server pool on Azure, four templates are available to you—Inbound firewall template, Hub firewall template, Infrastructure template, and the sample app template.
- Infrastructure template—The template deploys the Azure Service Bus and messaging infrastructure to enable message-based communication between the Azure plugin on Panorama and the Azure resources.You can reuse this messaging infrastructure across multiple Azure subscriptions. Because this infrastructure does not have a 1:1 relationship with Panorama, you do not have to deploy the template multiple times.Inbound firewall template—The template deploys an Azure Application Gateway (L7 load balancer), VMSS for the VM-Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls in this template enable you to secure inbound traffic from the Internet to your application.
- Hub firewall template—The template deploys an Standard internal load balancer, VMSS for the VM-Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls that this template deploys enable you to secure outbound traffic (traffic originating from the application servers), and east-west traffic between the application tiers.
- App template—This template is provided as an example to help you try the VM-Series auto scaling solution on Azure. When deploying this application template, you can choose whether you want to secure inbound traffic only or secure both inbound and outbound traffic. The template deploys an internal load balancer (Standard) and a sample web application. If you opt to secure outbound traffic, it also creates User Defined Routes (UDRs) to forward outgoing traffic from the application server through the hub firewall VMSS. See Tags to learn about the labels that Panorama requires to identify the application traffic that it secures.
- Azure VNet Peering—Azure VNet peering enables you to connect virtual networks within the Azure public cloud. The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, instead of using a gateway or going over the public internet. In peered VNets, all subnets within the virtual network have routes with next hop type VNet peering for each address space within these networks. If your applications and the VM-Series firewall VMSS are in different VNets, VNet peering between the application and the Inbound and Hub firewall VMSS virtual networks is required to successfully route traffic between them.
- Azure Load Balancers—Internal load balancer and the Azure Application gateway to redistribute traffic to the firewall VMSS or to the backend application server pool.
- Tags—The firewalls in the VMSS and the sample application have tags that are used for identification. When you deploy the firewall templates—Inbound or Hub—the VMSS, the VNet, and the Azure Application Gateway (external load balancer) have a tag called PanoramaManaged=True. This tag enables the Azure plugin on Panorama to identify the resources and retrieve information such as the subnet CIDR and the information required to manage the static routes and deactivate the license on the firewalls.In addition to the PanoramaManaged=Yes tag, the internal load balancer that fronts the application requires two more tags. To secure inbound traffic, you must add the tag SpokeRG=<name of the inbound firewall RG>; and HubRG=<name of hub firewall RG> if you have deployed the Hub firewall template and want to secure outbound traffic.
- Sample firewall configuration— The sample configuration includes a virtual router with eth1/1 (Untrust) and eth1/2 (Trust) interfaces in a zone. You can use this configuration as a starting point so that Panorama can push the static routes that enable the firewalls to forward inbound/outbound traffic through the correct interface on the firewall.
See Azure Auto Scaling Deployment Use Cases for greenfield
and brownfield deployments scenarios.
Plan Your Deployment
Before you begin, use the following checklist to think
through your auto scaling deployment and collect the details required
to continue with Deploy Azure Auto Scaling Template.
- The Azure subscription and region in which you want to deploy the applications and the VM-Series firewalls.The firewalls and the applications must be deployed in the same region and within the same subscription. Cross subscription deployments are not supported in the Azure Inbound firewall or Hub firewall template version 1.0.
- Panorama appliance running a PAN-OS version that supports auto scaling (see the Panorama plugin version information in the Compatibility Matrix).
- The Panorama must either have a public IP address to route over the internet or another way to establish connectivity with the VM-Series firewalls. To complete the bootstrapping flow and ensure that the firewalls are licensed, the management interface on the Panorama appliance must be able to communicate with the management interface on the VM-Series. Additionally, the VM-Series firewall must be able to access the Palo Alto Networks servers to retrieve the license successfully.
- Plan the device groups and templates/template stack on Panorama.On Panorama, you must assign firewalls to a template stack and a device group in order to push network configuration and policies. You must first add a template and assign it to a template stack, create a device group on Panorama, and then include the template stack name and the device group name in the configuration (init-cfg.txt) file. If you are deploying the Hub firewall template and an Inbound firewall template to deploy auto scaling VM-Series firewalls that protect inbound and outbound traffic to the applications in your Azure subscription, you must set up a two sets of template stack, templates and device groups. One for managing the VM-Series firewall configuration for the Hub firewall VMSS and another for the Inbound firewall VMSS.There is a 1:1 relationship between an Azure subscription and an auto scaling definition on Panorama.For each firewall VMSS that you want to add to Panorama, you must provide the Resource Group name, Resource Group type - Hub or Inbound, device group name and template stack name with which to associate the firewalls so that Panorama can push the configuration. As a part of the auto scaling definition, you can specify whether you want Panorama to create and push the static routes required to forward inbound/outbound traffic through the firewall.If you have more than one VMSS in an Azure subscription, you must use a single Panorama appliance to manage both VMSS in the Azure subscription.You must also add a virtual router to the template stack.
- Create a storage account on the Azure portal and set up the Azure Files service to contain the folder structure required to Bootstrap the VM-Series Firewall on Azure.
- Gather the information you need as inputs in the init-cfg.txt file. You must include the following:
- Panorama IP address—The IP address of the Panorama appliance that the firewalls must connect with for the license and configuration.
- VM auth key—The VM auth key allows Panorama to authenticate the newly bootstrapped VM-Series firewall. So, to manage the firewall using Panorama, you must include the IP address for Panorama and the VM auth key in the basic configuration file as well as the license auth codes in the /license folder of the bootstrap package. The firewall can then provide the IP address, serial number, and the VM auth key in its initial connection request to Panorama so that Panorama can verify the validity of the VM auth key and add the firewall as a managed device. If you provide a device group and template in the basic configuration file, Panorama will assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama.
- Auth codes, if using BYOL
- Device group name
- Template stack name
- (If you want to secure an application that you have already deployed) Collect the application details required to configure the Azure Application Gateway in the Inbound firewall template to steer the application traffic to the internal load balancer that fronts the application which you want to secure. Refer to the Azure Application Gateway documentation for details on the frontend- and backend-server configuration. For an example configuration, see onboard an app.When you use the sample app template, the relevant tags are automatically defined and the plugin creates the static routes required to redirect traffic through the firewall before it is routed to the application server pool. In the case of a brownfield deployment or when you deploy your own application template, to enable the inbound firewall VMSS to support multiple applications in the backend pool, you must manually configure the public load balancer that fronts your application server pool.
- The Azure plugin on Panorama needs an Active Directory application and a Service Principal to execute Azure APIs and access Azure resources. When you create the Active Directory application and Service Principal, make sure that the Service Principal has the permissions specified in VM-Series on Azure Service Principal Permissions, and save the following details from that process. This information is required as inputs to the Azure plugin on Panorama.
- Application ID
- Secret key (Copy this key; the secret key is no longer visible after you navigate away from the page)
- Tenant ID
- Subscription ID
- Download the templates and files that enable this auto scaling deployment from the GitHub repository.
- Record the Service Bus Key Name and Shared Access Signature.After you deploy the Infrastructure template, you must gather the Service Bus Key Name and Shared Access Signature details for configuring the auto scaling definition.