Support for HA for VM-Series on Azure

With the VM-Series Plugin, you can now configure the VM-Series firewalls on Azure in an active/passive high availability (HA) configuration. For an HA configuration, both HA peers must belong to the same Azure Resource Group. You can deploy the first instance of the firewall from the Azure Marketplace, and then use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. The reason you need a custom template or the Palo Alto Networks sample template is because Azure does not support the ability to deploy the firewall in to an Resource Group that is not empty.

To ensure uptime in an HA setup on Azure, you need floating IP addresses that can quickly move from the active firewall to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer and HA links—a control link (HA1) and a data link (HA2)—to synchronize data and maintain state information between the HA peers.

To support HA, you need to configure the interfaces on the VM-Series firewalls on Azure as follows:

Interface	Active firewall peer	Passive firewall peer	Description
Trust	Secondary IP address	—	The trust interface of the active peer requires a secondary IP configuration that can float to the other peer on failover. This secondary IP configuration on the trust interface must be a private IP address with the netmask of the servers that it secures. On failover, the VM-Series plugin calls the Azure API to detach this secondary private IP address from the active peer and attach it to the passive peer. Attaching this IP address to the now active peer ensures that the firewall can receive traffic on the floating IP on the untrust interface and send it through to the floating IP on the trust interface and on to the workloads.
Untrust	Secondary IP address	—	The untrust interface of the firewall requires a secondary IP configuration that includes a static private IP address with a netmask for the untrust subnet, and a public IP address for accessing the internet. Without this public IP address, you can access internal Azure resources through the untrust interface, but will be unable to access anything over the internet. On failover, the VM-Series plugin calls the Azure API to detach the secondary IP configuration from the active peer and attach it to the passive peer before it transitions to the active state. This process of floating the secondary IP configuration, enables the now active firewall to continue processing inbound traffic that is destined to the workloads.
HA2	Add a NIC to the firewall from the Azure management console.	Add a NIC to the firewall from the Azure management console.	On the active and passive peers, add a dedicated HA2 link to enable session synchronization. The default interface for HA1 is the management interface, and you can opt to use the management interface instead of adding an additional interface to the firewall. For enabling data flow over the HA2 link, you need to add an additional network interface on the Azure portal and configure the interface for HA2 on the firewall.

Deploy a VM-Series firewall.
You can use the PAN-OS 9.0 Solution template on the Azure Marketplace to deploy the first instance of the firewall or upgrade an existing VM-Series firewall instance to PAN -OS 9.0. To complete the inputs for deploying the second instance of the firewall, you must note the following details about the first instance of the firewall—Azure subscription, name of the Resource Group, location of the Resource Group, name of the existing VNet, VNet CIDR, Subnet names associated with each interface on the first instance of the firewall, Subnet CIDRs, and start the IP address for the management, trust and untrust subnets.
Set up the network interfaces for HA.
Add a secondary IP configuration to the untrust interface of the firewall.

Add a secondary IP configuration to the trust interface of the firewall.

The secondary IP configuration for the trust interface requires a static private IP address only. This IP address moves from the active firewall to the passive firewall on failover so that traffic flows through from the untrust to the trust interface and to the destination subnets that the firewall secures.
Attach a network interface for the HA2 communication between the firewall HA peers.
Configure the interfaces on the firewall.
Complete these steps on the active HA peer, before you deploy and set up the passive HA peer.
Log in to the firewall web interface.

Configure ethernet 1/1 as the untrust interface and ethernet 1/2 as the trust interface.

Select

Network

Interfaces

and configure as follows:





Configure ethernet 1/3 as the HA interface.

To set up the HA2 link, select the interface and set

Interface Type

to

HA

. Set link speed and duplex to auto.


Configure the VM-Series plugin to authenticate to the Azure resource group in which you have deployed the firewall.
Select
Device
VM-Series
to enable programmatic access between the firewall plugin and the Azure resources.

Enable HA.
Select
Device
Setup
HA
.

Enter
Peer HA1 IP address
as the private IP address of the passive peer.
Edit the Data Link (HA2) to use
Port
ethernet 1/3 and add the IP address of this peer and the
Gateway
IP address for the subnet.
Commit
the changes.
Deploy the VM-Series firewall HA peer.
For the HA peer, you can either use a custom template or the sample GitHub template that allows you to deploy the second instance of the firewall within the same Azure Resource Group. Make sure to deploy this HA peer within the subscription, Resource Group, VNet and the same subnet configurations as that of the first firewall instance you’ve deployed.
Set up the network interfaces for the passive peer and enable HA.
Modify the IP addresses as appropriate for this passive HA peer. You do not have to configure the VM-Series plugin to authenticate to the Azure resource group, because that configuration is synchronized across the HA peers after you enable HA.

After you finish configuring both firewalls, verify that the firewalls are paired in active/passive HA.
Access the
Dashboard
on both firewalls, and view the High Availability widget.
On the active firewall, click the
Sync to peer
link.
Confirm that the firewalls are paired and synced.

On the passive peer, verify that the VM-Series plugin configuration is now synced.
Select
Device
VM-Series
and validate that you can view the Azure HA configuration that you had omitted configuring on the passive peer.