Set up Active/Passive HA on Azure

Set up the VM-Series firewall on Azure in a high availability set up using the VM-Series plugin.
You can configure a pair of VM-Series firewalls on Azure in an active/passive high availability (HA) configuration. For HA on Azure, you must deploy both firewall HA peers within the same Azure Resource Group and you must install the same version of the VM-Series Plugin on both HA peers.
  • Set up Active/Passive HA on Azure (North-South & East-West Traffic)—If you have an internet-facing application deployed on your Azure infrastructure, and you need to secure north-south traffic, you require a floating IP address to secure traffic on failover. This floating IP address, which enables external connectivity, is always attached to the active peer. On failover, the process of detaching the IP address and reattaching it to the now active peer can take a few minutes.
  • Set up Active/Passive HA on Azure (East-West Traffic Only)—If your application access and security requirements are contained within the Azure infrastructure and you need to secure east-west traffic only, you do not need a floating IP address. Instead, the HA implementation automatically reconfigures the UDRs in the Azure routing tables to provide a faster failover time.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
To enable HA on the VM-Series firewall on Azure, you must create an Azure Active Directory application and Service Principal that includes the permissions listed in the table below.
Azure HA Type
Permissions
Role Scope
Secondary IP Move HA
"Microsift.Authorization/*/read""Microsift.Compute/virtualMachines/read""Microsift.Network/networkInterfaces/*""Microsift.Network/networkSecurityGroups/*""Microsift.Network/virtualNetworks/join/action""Microsift.Network/virtualNetworks/subnets/join/action"
The following permissions are required only if you have assigned a public IP address to any of your data interfaces. Standard SKU interface is recommended.
"Microsift.Network/publicIPAddresses/join/action""Microsift.Network/publicIPAddresses/read""Microsift.Network/publicIPAddresses/write"
  • Virtual network in which the VMs are deployed
  • Two VM-Series firewalls
  • NICs of both VM-Series firewalls
  • Network Security Group
  • Public IP addresses of the VM-Series firewalls
UDR HA
"Microsift.Authorization/*/read
""Microsift.Compute/virtualMachines/read
""Microsift.Network/routeTables/*"
"Microsift.Network/networkInterfaces/*"
  • Two VM-Series firewalls
  • NICs of both VM-Series firewalls
  • Route tables associated with UDR
Secondary IP Move and UDR
"Microsift.Authorization/*/read""Microsift.Compute/virtualMachines/read""Microsift.Network/networkInterfaces/*""Microsift.Network/networkSecurityGroups/*""Microsift.Network/routeTables/*""Microsift.Network/virtualNetworks/join/action""Microsift.Network/virtualNetworks/subnets/join/action"
The following permissions are required only if you have assigned a public IP address to any of your data interfaces. Standard SKU interface is recommended.
"Microsift.Network/publicIPAddresses/join/action""Microsift.Network/publicIPAddresses/read""Microsift.Network/publicIPAddresses/write"
  • Virtual network in which the VMs are deployed
  • Two VM-Series firewalls
  • NICs of both VM-Series firewalls
  • Network Security Group
  • Public IP addresses of the VM-Series firewalls
  • Route tables associated with UDR

Set up Active/Passive HA on Azure (North-South & East-West Traffic)

If you want to secure north-south traffic to your applications in your Azure infrastructure, use this workflow with floating IP addresses that can quickly move from one peer to the other. Because you cannot move the IP address associated with the primary interface of the firewall on Azure, you need to assign a secondary IP address that can function as a floating IP address. When the active firewall goes down, the floating IP address moves from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer. In addition to the floating IP address, the HA peers also need HA links—a control link (HA1) and a data link (HA2)—to synchronize data and maintain state information.

Set up the Firewalls for Enabling HA

Gather the following details for configuring HA on the VM-Series firewalls on Azure.
  • Set up the Active Directory application and a Service Principal to enable programmatic API access.
    • For the firewall to interact with the Azure APIs, you need to create an Azure Active Directory Service Principal. This Service Principle has the permissions required to authenticate to the Azure AD and access the resources within your subscription.To complete this set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don't have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal. See the table above for the required permissions. Copy the following details for use later in this workflow:
      • Client ID
        —The Application ID associated with the Active Directory (On the Azure portal, click
        Home
        Azure Active Directory
        App registrations
        , select your application and copy the ID).
      • Tenant ID
        —The Directory ID associated with the Active Directory (On the Azure portal, click
        Home
        Azure Active Directory
        Properties
        Directory ID
        , select the application and copy the ID).
      • Azure Subscription ID
        —The Azure subscription in which you have deployed the firewalls. You must login to your Azure portal to get this subscription ID.
      • Resource Group Name
        — The resource group name in which you have deployed the firewalls that you want to configure as HA peers. Both firewalls must be in the same resource group.
      • Secret Key
        —The authentication key associated with the Active Directory application (On the Azure portal, click
        Home
        Azure Active Directory
        Certificates & secrets
        , copy the
        Value
        under
        Client secrets
        . If you do not have a Secret Key, create one first, then copy the value). To log in as the application, you must provide both the key value and the Application ID.
  • Know where to get the templates you need to deploy the VM-Series firewalls within the same Azure Resource Group.
    For an HA configuration, both HA peers must belong to the same Azure Resource Group. If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template for deploying the second instance of the firewall into the existing Resource Group. The reason you need a custom template or the Palo Alto Networks sample template is because Azure does not support the ability to deploy the firewall in to an Resource Group that is not empty.
    Copy the deployment information for the first firewall instance. For example:
  • Match the
    VM Name of VM-Series
    firewall as shown in the screenshot above with the
    Hostname
    on the firewall web interface. You must add the same name on
    Device
    Setup
    Management
    , because the hostname of the firewall is used to trigger failover.
  • Plan the network interface configuration on the VM-Series firewalls on Azure.
    To set up HA, you must deploy both HA peers within the same Azure Resource Group and both firewalls must have the same number of network interfaces. A minimum of four network interfaces is required on each HA peer:
    • Management interface (eth0)
      —Private and public IP address associated with the primary interface. The public IP address enables access to the firewall web interface and SSH access.
      You can use the private IP interface on the management interface as the HA1 peer IP address for the control link communication between the active/passive HA peers. If you want a dedicated HA1 interface, you must attach an additional network interface on each firewall, and this means that you need five interfaces on each firewall.
    • Untrust interface (eth1/1)
      —Primary private IP address with /32 netmask, and secondary IP configuration with both a private IP address (any netmask) and a public IP address.
      On failover, when the passive peer transitions to the active state, the public IP address associated with the secondary IP configuration is detached from the previously active peer and attached to the now active HA peer.
    • Trust interface (eth1/2)
      —Primary and secondary private IP addresses. On failover, when the passive peer transitions to the active state, the secondary private IP address is detached from the previously active peer and is attached to the now active HA peer.
    • HA2 (eth 1/3)
      —Primary private IP address. The HA2 interface is the data link that the HA peers use for synchronizing sessions, forwarding tables, IPSec security associations and ARP tables.
    Interface
    Active firewall peer
    Passive firewall peer
    Description
    Trust
    Secondary IP address
    The trust interface of the active peer requires a secondary IP configuration that can float to the other peer on failover. This secondary IP configuration on the trust interface must be a private IP address with the netmask of the servers that it secures. On failover, the VM-Series plugin calls the Azure API to detach this secondary private IP address from the active peer and attach it to the passive peer. Attaching this IP address to the now active peer ensures that the firewall can receive traffic on the floating IP on the untrust interface and send it through to the floating IP on the trust interface and on to the workloads.
    Untrust
    Secondary IP address
    The untrust interface of the firewall requires a secondary IP configuration that includes a static private IP address with a netmask for the untrust subnet, and a public IP address for accessing the back-end servers or workloads over the internet. On failover, the VM-Series plugin calls the Azure API to detach the secondary IP configuration from the active peer and attach it to the passive peer before it transitions to the active state. This process of floating the secondary IP configuration, enables the now active firewall to continue processing inbound traffic that is destined to the workloads.
    HA2
    Add a NIC to the firewall from the Azure management console.
    Add a NIC to the firewall from the Azure management console.
    On the active and passive peers, add a dedicated HA2 link to enable session synchronization.
    The default interface for HA1 is the management interface, and you can opt to use the management interface instead of adding an additional interface to the firewall. For enabling data flow over the HA2 link, you need to add an additional network interface on the Azure portal and configure the interface for HA2 on the firewall.

Configure Active/Passive HA on the VM-Series Firewall on Azure

In this workflow, you deploy the first instance of the VM-Series firewall using the VM-Series firewall solution template in the Azure marketplace, and the second instance of the firewall using the sample GitHub template.
The authentication key (client secret) associated with the Active Directory application required for setting up the VM-Series firewall in an HA configuration, is encrypted with VM-Series plugin version 1.0.4 on the firewall and on Panorama. Because the key is encrypted in VM-Series plugin version 1.0.4, you must install the same version of the plugin on Panorama and the managed VM-Series firewalls in order to centrally manage the firewalls from Panorama.
  1. Deploy the VM-Series firewall using a solution template and set up the network interfaces for HA.
    1. Add a secondary IP configuration to the untrust interface of the firewall.
      You must attach the secondary IP configuration—with a private IP address (any netmask) and a public IP address—to the firewall that will be designated as the active peer. The secondary IP configuration always stays with the active HA peer, and moves from one peer to the another when a failover occurs.
      In this workflow, this firewall will be designated as the active peer. The active HA peer has a lower numerical value for device priority that you configure as a part of the HA configuration on the firewall, and this value indicates a preference for which firewall assumes the role of the active peer.
    2. Add a secondary IP configuration to the trust interface of the firewall.
      The secondary IP configuration for the trust interface requires a static private IP address only. This IP address moves from the active firewall to the passive firewall on failover so that traffic flows through from the untrust to the trust interface and to the destination subnets that the firewall secures.
    3. Attach a network interface for the HA2 communication between the firewall HA peers.
      1. Add a subnet within the virtual network.
      2. Create and attach a network interface to the firewall.
    4. Set up your route table on Azure.
      Your next hop should point to the floating IP address as shown here:
  2. Configure the interface