Deploy the Auto Scaling VM-Series Firewalls to Secure Your Applications

1. Launch the Infrastructure template.
   This allows you to launch the Azure Service Bus and the Azure function. You need to get the SB name, SB credentials (shared access key)  for use later on the Panorama Azure plugin. You will also need the Function URL to deploy the firewall template (for inbound and hub).

2. Log in to the Panorama, and for every VMSS group of firewalls, create a device group, a template stack and one or more templates.
3. Set up your Service Principal on the Azure plugin on Panorama.
   The Service Principal is the service account that you created on the Azure portal. This account is attached to the Azure AD and has limited permissions to access and monitor the resources in your Azure subscription. For this auto scaling deployment, make sure that the Service Principal has Contributor rights, at a minimum.

   1. Select PanoramaPluginsAzureSetupService PrincipalAdd.

   2. Enter a Name and optionally a Description to identify the service account.
   3. Enter the Subscription ID for the Azure subscription you want to monitor. You must login to your Azure portal to get this subscription ID.
   4. Enter the Client Secret and re-enter it to confirm.
   5. Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application.
   6. Click Validate to verify that the keys and IDs you entered are valid, and Panorama can communicate with the Azure subscription using the API.
4. Create your Azure auto scaling definition for the Azure subscription.
   You can add up to 10 Autoscaling Definitions and each definition can include up to 25 Virtual Machine Scale Sets (VMSS). The firewalls in a VMSS map to one device group and one template stack on Panorama.

   1. Select PanoramaPluginsAzureAutoscalingAdd.
   2. Enter a Name and Description for the auto scaling definition.
   3. Add the Service Bus Name—Enter the Service Bus Name that you defined when you launched the Infrastructure template from the GitHub repository. You must copy this name from the from the Azure portal and paste it here.
   4. Add the Shared Access Token and Service Bus Key Name— You need to get these from the Infrastructure template on the Azure portal.

   5. Select the Service Principal that enables Panorama to authenticate to your Azure subscription.
   6. Add the firewall Resource Group to Panorama.
      1. Enter a name to identify the Firewall Resource Group, and optionally a Description.
      2. Select the Resource Group Type: Hub—These firewalls secure outbound traffic and east-west traffic between the VMs in your Azure deployment. Inbound—These firewalls secure inbound traffic to the application VMs in your Azure deployment.
      3. Select the Device Group. and the Template Stack that you created for the firewalls deployed within the Resource Group above.
      4. Verify that Push static routes automatically to the template stack is enabled. This option is enabled by default, and it enables Panorama to push static routes to the firewalls that belong to the Inbound Firewall VMSS and the Hub Firewall VMSS. In the Inbound Firewall template, the static routes enable the firewalls to direct inbound traffic to the backend application server pool, route return traffic to the client, and route the health probe initiated by the Azure load balancer. In the Hub Firewall template, the static routes enable the firewalls to route the health probe initiated by the Azure load balancer and direct outbound traffic (that is traffic originating from the applications/services) to the internet.
5. Launch the Azure Inbound Firewall template.
   Whether you want to secure a greenfield deployment or a brownfield deployment, you need the Azure Inbound Firewall template to secure inbound traffic to an internet-facing application.
   1. Launch the Inbound Firewall template.
      For a description of the input parameters, see Inbound Firewall Template Parameters. And skip to onboard an app, if you do not want to secure outbound traffic (that is secure traffic originating from your application workloads within a Resource Group).
   2. To secure inbound application traffic, you must connect the application to the Inbound firewall VMSS.
      When you onboard your application, you need to do the following:

      • Configure the Application Gateway with the frontend and backend configuration to point to the internal load balancer that fronts the application server pool. Refer to the Azure Application Gateway documentation.
      • In the default BackendUDR, add a route with application subnet as the destination, and the next hop IP address as that of the internal load balancer that fronts the firewall VMSS.
      • Set up VNet peering between the application VNet and the Inbound firewall VMSS VNet, if they are in different VNets. When you use the sample application template included in the GitHub repository, VNet peering is set up for you.
      • Tag the internal load balancer that fronts the application with these name-value pairs.

        PanoramaManaged-yes

        InboundRG-<Name of the Inbound Firewall Resource Group>

        The Inbound template assigns a public IP address to VMSS PA-VM management interface. Make sure to configure the Network Security Group inbound source IP in the template.
6. Launch the Azure Hub Firewall template.
   You need to deploy this template, only if you want to secure traffic originating from your application workloads within a Resource Group.
   1. Launch the Hub autoscaling firewall template. For a description of the input parameters, see Hub Template Parameters.
   2. Connect the Hub firewall VMSS to the application VNet.
      Complete the following on the Azure portal:

      • Add a UDR in the route table and associate the application’s subnet to the route table. Refer to the Azure documentation.
      • On the Azure portal, add a default route (0.0.0.0/0) to forward all traffic to the internal load balancer that fronts the Hub firewall VMSS.
      • Tag the internal load balancer that fronts the application with these name-value pairs.

        HubRG-<Name of the Hub Firewall Resource Group>

        On Panorama, you must add a static route to enable the firewalls in the Hub VMSS to direct traffic back to the application workloads (as shown below in this step). Make sure to define the static route on the template stack that manages the configuration of the firewalls in the Hub VMSS.
   3. Verify that the auto-programmed routes are in the virtual router on Panorama.
      After you deploy the Hub template, a default route and a route for health checks to the managed firewalls is automatically added to the virtual router in the template stack for the VM-Series firewalls launched with the Hub template. And the Azure Application Insights instrumentation key is also automatically available. You need to verify that these routes and the are included so that the firewalls are properly configured and can send metrics for monitoring the autoscaling thresholds. the Synchronizing Config with Azure button. Follow the same procedure if you do not see routes populated for the Hub template stack as well.

      1. Log in to Panorama and select Network.
      2. Select the template stack associated with the Hub firewall VMSS in the Template drop-down.
      3. Select Virtual Router and select the virtual router.
      4. Select Static Routes and verify that you can see two routes.

      5. Select DeviceVM-Series and view the value for the Azure Instrumentation Key.

      If you do not see the static routes or the Azure Instrumentation Key, on PanoramaPluginsAzureAutoScaling, and click the Synchronizing Config with Azure link that corresponds to the autoscaling definition you want to update.
   4. Verify that you have a static route to direct return traffic from the internet back to the application.
      On Panorama, the virtual router associated with the template stack for the Hub firewall must have a static route to direct return traffic to the application workloads. This static route is automatically created when you tag the internal load balancer in the Application VNet with

      HubRG-<Name of the Hub Firewall Resource Group>

      Otherwise, you must add the static route as follows.

      1. Log in to Panorama and select Network.
      2. Select the template stack associated with the Hub firewall VMSS in the Template drop-down.
      3. Select Virtual Router and select the virtual router you are configuring.
      4. Select Static Routes and add a route with the destination IP address as the subnet for the application, set the outgoing interface as the trust interface on the firewall and the Next Hop IP address for the internal load balancer that fronts your application workloads in the application Resource Group.

      The Inbound template assigns a public IP address to VMSS PA-VM management interface. Make sure to configure the Network Security Group inbound source IP in the template.
7. To onboard an app, complete the following on the Inbound Firewall Resource Group.
   1. Access the Application Gateway.
   2. Add the Load balancer IP address for the sample application to the Application Gateway backend pool.

   3. Add a route to the defaultBackendUDR to direct traffic through the firewall to the application you want to secure.
      You need to add a route that specifies the address prefix of the internal load balancer IP address for the application gateway that was created when you launched the App template, and the next hop IP address should match the IP address of the load balancer that fronts the VM-Series firewall VMSS in the Inbound firewall resource group. This route allows the Application Gateway to send traffic to the Inbound firewall VMSS before routing it to the load balancer in the application resource group.

   If you have your own app and you want to configure it to secure traffic to it using the VM-Series firewalls that you deployed using the hub or the firewall template, you must do the following:

   • Set up VNET peering between the application VNet and the VNet in which your firewall VMSS are deployed.
     If you are securing inbound and outbound application traffic, on the Azure portal select the virtual network for the application and verify that VNet peering status is connected for the Hub and the Inbound firewall VNets.

   • Add the IP address of the internal Load Balancer that fronts the application to the Application gateway configuration in the inbound firewall Resource Group.
   • Add a route to the defaultBackend UDR table to direct traffic through the firewall. You need to add a route that specifies the IP address of the load balancer that fronts the application, and specify the IP address load balancer that fronts the firewall VMSS as the next hop. This route allows the Application Gateway to send traffic to the firewall VMSS before routing it to the load balancer in the application resource group.
   • Add the following tags to the internal load balancer that fronts your application workloads.
     • HubRG: Enter the name of the Hub firewall Resource Group
     • PanoramaManaged: yes
     • InboundRG: Enter the name of the Inbound firewall Resource Group

8. To onboard an app, complete the following on the Hub Firewall Resource Group.
   1. Access the Application Gateway.
   2. Add the Load balancer IP address for the sample application to the Application Gateway backend pool.

   3. Add a route to the defaultBackendUDR to direct traffic through the firewall to the application you want to secure.
      You need to add a route that specifies the address prefix of the internal load balancer IP address for the application gateway that was created when you launched the App template, and the next hop IP address should match the IP address of the load balancer that fronts the VM-Series firewall VMSS in the Inbound firewall resource group. This route allows the Application Gateway to send traffic to the Inbound firewall VMSS before routing it to the load balancer in the application resource group.

   If you have your own app and you want to configure it to secure traffic to it using the VM-Series firewalls that you deployed using the hub or the firewall template, you must do the following:

   • Set up VNET peering between the application VNet and the VNet in which your firewall VMSS are deployed.
     If you are securing inbound and outbound application traffic, on the Azure portal select the virtual network for the application and verify that VNet peering status is connected for the Hub and the Inbound firewall VNets.

   • Add the IP address of the internal Load Balancer that fronts the application to the Application gateway configuration in the inbound firewall Resource Group.
   • Add a route to the defaultBackend UDR table to direct traffic through the firewall. You need to add a route that specifies the IP address of the load balancer that fronts the application, and specify the IP address load balancer that fronts the firewall VMSS as the next hop. This route allows the Application Gateway to send traffic to the firewall VMSS before routing it to the load balancer in the application resource group.
   • Add the following tags to the internal load balancer that fronts your application workloads.
     • HubRG: Enter the name of the Hub firewall Resource Group
     • PanoramaManaged: yes
     • InboundRG: Enter the name of the Inbound firewall Resource Group

9. On Panorama, create Security policy rules.
   For securing inbound application traffic, you can specify the source zone and destination zones as any, and add the destination IP addresses as a dynamic address group object and reference it in the Security policy rule.