: Auto Scaling on Azure - Components and Planning Checklist
Focus
Focus

Auto Scaling on Azure - Components and Planning Checklist

Table of Contents

Auto Scaling on Azure - Components and Planning Checklist

Learn about the components that the auto scaling templates deploy and identify what you need before you begin.
To deploy VM-Series firewalls in an auto scaling set up where the firewalls can scale with your application workloads and ensure high availability for your services, you need to understand the following concepts:
  • Virtual Machine Scale Sets (VMSS)
    — A VMSS is a group of individual virtual machines (VMs) within the Microsoft Azure public cloud that administrators can configure and manage as a single unit. The firewall templates provided for auto scaling, create and manage a group of identical, load balanced VM-Series firewalls that are scaled up or down based on custom metrics published by the firewalls to Azure Application Insights. The scaling-in and scaling out operation can be based on configurable thresholds.
  • Azure Application Insights
    —The VM-Series firewall on Azure can publish custom PAN-OS metrics natively to Azure Application Insights that you can use to monitor the firewalls directly from the Azure portal. These metrics allow you to assess performance and usage patterns that you can use to set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls. See Custom PAN-OS Metrics Published for Monitoring for a description on the metrics that are available.
  • Panorama, Panorama plugin for Azure, and VM-Series plugin
    —Panorama is required to enable centralized management of the auto scaling VM-Series firewalls that are deployed in the VMSS. The Azure plugin on Panorama enables you to set up communication between Panorama and the resources within your Azure subscription. The plugin takes care of the interactions required to license, bootstrap and configure the VM-Series firewalls using device groups and template stacks on Panorama. It also programs the Azure static routes and the Azure Application Insights Instrumentation Key to the firewalls in the VMSS.
    You also need to install the VM-Series plugin on Panorama, if you are managing firewalls running PAN-OS 9.0.0 or later. Panorama requires the VM-Series plugin to push the Azure Application Insights instrumentation key to managed firewalls. On earlier versions of PAN-OS, the VM-Series plugin is not relevant as the VM-Series plugin was introduced in PAN-OS 9.0.0. This plugin enables publishing custom metrics to cloud monitoring services (such as Azure Application Insights), bootstrapping, configuring user credential provisioning information from public cloud environments, and seamless updates for cloud libraries or agents on PAN-OS.
  • Azure Functions and Service Bus
    —Azure Service Bus enables message-based communication between the Azure plugin on Panorama and the Azure resources. The Azure Function is a publicly accessible webhook that publishes messages to the message queue. When you configure the Azure plugin to subscribe to that queue, it can read messages to learn when a new application template is deployed (as long as it has the Panorama managed tag) and when a firewall was scaled in events so that it can contact the Palo Alto Networks licensing server and deactivate the license. The Panorama plugin and the Azure function use a Shared Access Signature (SAS) token to authenticate to the Service Bus and write or read messages from the queue.
  • Templates
    —For deploying the auto scaling VM-Series firewalls to secure your application server pool on Azure, four templates are available to you—Inbound firewall template, Hub firewall template, Infrastructure template, and the sample app template.
    • Infrastructure template
      —The template deploys the Azure Service Bus and messaging infrastructure to enable message-based communication between the Azure plugin on Panorama and the Azure resources.
      You can reuse this messaging infrastructure across multiple Azure subscriptions. Because this infrastructure does not have a 1:1 relationship with Panorama, you do not have to deploy the template multiple times.
      Inbound firewall template
      —The template deploys an Azure Application Gateway (L7 load balancer), VMSS for the VM-Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls in this template enable you to secure inbound traffic from the Internet to your application.
    • Hub firewall template
      —The template deploys an Standard internal load balancer, VMSS for the VM-Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls that this template deploys enable you to secure outbound traffic (traffic originating from the application servers), and east-west traffic between the application tiers.
    • App template
      —This template is provided as an example to help you try the VM-Series auto scaling solution on Azure. When deploying this application template, you can choose whether you want to secure inbound traffic only or secure both inbound and outbound traffic. The template deploys an internal load balancer (Standard) and a sample web application. If you opt to secure outbound traffic, it also creates User Defined Routes (UDRs) to forward outgoing traffic from the application server through the hub firewall VMSS. See Tags to learn about the labels that Panorama requires to identify the application traffic that it secures.
  • Azure VNet Peering
    —Azure VNet peering enables you to connect virtual networks within the Azure public cloud. The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, instead of using a gateway or going over the public internet. In peered VNets, all subnets within the virtual network have routes with next hop type VNet peering for each address space within these networks. If your applications and the VM-Series firewall VMSS are in different VNets, VNet peering between the application and the Inbound and Hub firewall VMSS virtual networks is required to successfully route traffic between them.
  • Azure Load Balancers
    —Internal load balancer and the Azure Application gateway to redistribute traffic to the firewall VMSS or to the backend application server pool.
  • Tags
    —The firewalls in the VMSS and the sample application have tags that are used for identification. When you deploy the firewall templates—Inbound or Hub—the VMSS, the VNet, and the Azure Application Gateway (external load balancer) have a tag called
    PanoramaManaged=True
    . This tag enables the Azure plugin on Panorama to identify the resources and retrieve information such as the subnet CIDR and the information required to manage the static routes and deactivate the license on the firewalls.
    In addition to the
    PanoramaManaged=Yes
    tag, the internal load balancer that fronts the application requires two more tags. To secure inbound traffic, you must add the tag
    SpokeRG=<name of the inbound firewall RG>
    ; and
    HubRG=<name of hub firewall RG>
    if you have deployed the Hub firewall template and want to secure outbound traffic.
  • Sample firewall configuration
    — The sample configuration includes a virtual router with eth1/1 (Untrust) and eth1/2 (Trust) interfaces in a zone. You can use this configuration as a starting point so that Panorama can push the static routes that enable the firewalls to forward inbound/outbound traffic through the correct interface on the firewall.
See Azure Auto Scaling Deployment Use Cases for greenfield and brownfield deployments scenarios.

Plan Your Deployment

Before you begin, use the following checklist to think through your auto scaling deployment and collect the details required to continue with Deploy Azure Auto Scaling Template.
  • The Azure subscription and region in which you want to deploy the applications and the VM-Series firewalls.
    The firewalls and the applications must be deployed in the same region and within the same subscription. Cross subscription deployments are not supported in the Azure Inbound firewall or Hub firewall template version 1.0.
  • Panorama appliance running a PAN-OS version that supports auto scaling (see the Panorama plugin version information in the Compatibility Matrix).
  • The Panorama must either have a public IP address to route over the internet or another way to establish connectivity with the VM-Series firewalls. To complete the bootstrapping flow and ensure that the firewalls are licensed, the management interface on the Panorama appliance must be able to communicate with the management interface on the VM-Series. Additionally, the VM-Series firewall must be able to access the Palo Alto Networks servers to retrieve the license successfully.
  • Plan the device groups and templates/template stack on Panorama.
    On Panorama, you must assign firewalls to a template stack and a device group in order to push network configuration and policies. You must first add a template and assign it to a template stack, create a device group on Panorama, and then include the template stack name and the device group name in the configuration (init-cfg.txt) file. If you are deploying the Hub firewall template and an Inbound firewall template to deploy auto scaling VM-Series firewalls that protect inbound and outbound traffic to the applications in your Azure subscription, you must set up a two sets of template stack, templates and device groups. One for managing the VM-Series firewall configuration for the Hub firewall VMSS and another for the Inbound firewall VMSS.
    There is a 1:1 relationship between an Azure subscription and an auto scaling definition on Panorama.
    If you have more than one VMSS in an Azure subscription, you must use a single Panorama appliance to manage both VMSS in the Azure subscription.
    For each firewall VMSS that you want to add to Panorama, you must provide the Resource Group name, Resource Group type - Hub or Inbound, device group name and template stack name with which to associate the firewalls so that Panorama can push the configuration. As a part of the auto scaling definition, you can specify whether you want Panorama to create and push the static routes required to forward inbound/outbound traffic through the firewall.
    You must also add a virtual router to the template stack.
  • Create a storage account on the Azure portal and set up the Azure Files service to contain the folder structure required to Bootstrap the VM-Series Firewall on Azure.
  • Gather the information you need as inputs in the init-cfg.txt file. You must include the following:
    • Panorama IP address—The IP address of the Panorama appliance that the firewalls must connect with for the license and configuration.
    • VM auth key—The VM auth key allows Panorama to authenticate the newly bootstrapped VM-Series firewall. So, to manage the firewall using Panorama, you must include the IP address for Panorama and the VM auth key in the basic configuration file as well as the license auth codes in the /license folder of the bootstrap package. The firewall can then provide the IP address, serial number, and the VM auth key in its initial connection request to Panorama so that Panorama can verify the validity of the VM auth key and add the firewall as a managed device. If you provide a device group and template in the basic configuration file, Panorama will assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama.
    • Auth codes, if using BYOL
    • Device group name
    • Template stack name
  • (If you want to secure an application that you have already deployed) Collect the application details required to configure the Azure Application Gateway in the Inbound firewall template to steer the application traffic to the internal load balancer that fronts the application which you want to secure. Refer to the Azure Application Gateway documentation for details on the frontend- and backend-server configuration. For an example configuration, see onboard an app.
    When you use the sample app template, the relevant tags are automatically defined and the plugin creates the static routes required to redirect traffic through the firewall before it is routed to the application server pool. In the case of a brownfield deployment or when you deploy your own application template, to enable the inbound firewall VMSS to support multiple applications in the backend pool, you must manually configure the public load balancer that fronts your application server pool.
  • The Azure plugin on Panorama needs an Active Directory application and a Service Principal to execute Azure APIs and access Azure resources. When you create the Active Directory application and Service Principal, make sure that the Service Principal has the permissions specified in VM-Series on Azure Service Principal Permissions, and save the following details from that process. This information is required as inputs to the Azure plugin on Panorama.
    • Application ID
    • Secret key (Copy this key; the secret key is no longer visible after you navigate away from the page)
    • Tenant ID
    • Subscription ID
  • Download the templates and files that enable this auto scaling deployment from the GitHub repository.
  • Record the Service Bus Key Name and Shared Access Signature.
    After you deploy the Infrastructure template, you must gather the Service Bus Key Name and Shared Access Signature details for configuring the auto scaling definition.

Recommended For You