Orchestrate a VM-Series Firewall Deployment in Azure
Learn how to orchestrate a VM-Series firewall deployment in Azure.
You can create a maximum of ten orchestrated deployments. Additionally, each orchestrated deployment supports up to 100 applications.
Azure China and Azure Government are not supported.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
- Create a service principal.Onboard your created service principal credentials to give the Panorama Plugin permissions to make necessary API calls to orchestrate your deployment
- Select.SetupService PrincipalAdd
- Enter aNameand an optionalDescriptionto identify the service account.
- Enter theSubscription IDfor the Azure subscription you want to monitor.You must login to your Azure portal to get this subscription ID.
- Enter theClient ID.The client ID is the Application ID associated with your Azure Active Directory application.
- Enter theClient Secretand re-enter it to confirm.
- Enter theTenant ID.The tenant ID is the Directory ID you saved when you set up the Active Directory application.
- It can take up to a minute to validate. You can update the page to check your progress.ClickValidateto verify that the keys and IDs you entered are valid, and Panorama can communicate with the Azure subscription using the API.
- When the service principal is valid, commit your changes.The commit ensures the service principal is available when you configure the deployment.
- Configure your Azure deploymenet.
- SelectandDeploymentsAdda configuration.
- Supply aNameand an optionalDescription.
- You must select a valid service principal to enable theChoose a service principal from the drop list.Azuretab.If you don’t see your service principal, return to Step 1 and ensure the service principal is valid and committed.
- On thetab, select a region.BuildAzureThe drop list is dynamic—it lists all regions that have a Palo Alto Networks VM-Series Next Generation Firewall image.
If you selectYesthe plugin asks for the VNET Resource Group, the VNET Name, the Security CIDR, and the Directory Domain.
- Existing VNET.
- SelectNoto create a new VNET.The plugin uses the VNET CIDR and Directory Domain to create a VNET for you.
- SelectYesto indicate an existing VNET.
- VNET CIDR—Enter your CIDR range. The prefix must be smaller than or equal to /22. For example, 192.168.0.0/22.
The VNET Resource Group and VNET name help the plugin locate your existing VNET. Anything the plugin deploys goes into a resource group that the plugin manages.
- VNET Resource Group—Choose from a list of all resource groups in your selected region.
- VNET Name—Choose from a list of VNETS in your chosen resource group.
- Security CIDR—Enter your CIDR range. The prefix must be smaller than or equal to /22. For example, 192.168.0.0/22.
- Configure the VM-Series firewall stacks for your deployment.You can deploy the Hub stack to protect Outbound/East-West traffic. You can deploy the Inbound stack to protect inbound traffic. You can also deploy both stacks if all traffic flows need to be protected.Each inbound stack can secure up to 10 applications.The configuration parameters are the same for both stacks.
Existing Device Group—The device group must be unique across both stacks and deployments. That is, you need a separate dedicated device group for each stack in each deployment.If you selectNothe plugin creates a device group.If you selectYes, select an existing device group from the dropdown list.
- License Type—Select BYOL, Bundle 1, or Bundle 2.
- License Authcode—(BYOL only). Enter the authcode sent in your Welcome letter.
- VM Size
- The drop list displays the VM sizes that correlate with the authcode you entered.
- Bundle1 or Bundle2—Choose any VM size.
- Min Firewalls— A value between 1 and 25 for a VMSS.
- Max Firewall— A value between 1 and 25 for a VMSS.
- Selectto configure information common to both Stacks.BuildFirewallBasicForImage Type, selectMarketplace ImageorCustom Image.
- Image—(custom image only)The dropdown list displays all images in your chosen resource group.
- Password—The administrator password for the firewall you create. The password must meet the character and length requirements (31 characters) for both VM-Series firewall and Azure. Refer to What are the password requirements when creating a VM?.
- Confirm Password—Re-enter your password.
- Primary Panorama IP—Specify the Panorama IP address the firewall can use to connect to the Panorama when it boots up. Choose between the public or private IP address displayed in the dropdown list, or type in the Panorama IP address.
- Secondary Panorama IP—(Only if Panorama is in HA setup.) Specify the Secondary Panorama IP the firewall can use to connect to the Panorama when it boots up. Choose from dropdown list or type in the correct IP.
- Configure Device Certificate PIN. Because these values are encrypted you must enter and confirm each value.
- Device Certificate PIN ID—The device certificate ID.
- Confirm Device Certificate PIN ID
- Device Certificate PIN Value—The certificate PIN value.
- Confirm Device Certificate PIN Value
- Selectoptional default values.BuildFirewallAdvancedCheckAdvancedto edit the default values.
ClickOKand commit your changes. Refresh the page until you can see theDeploybutton, and clickDeployto launch the deployment. Once the deployment starts, information is written to theDeploymentspage.Deployment takes 15-20 minutes to complete.
- Autoscaling Metric—Default is Data Plane CPU Util Percent.
- Scale In Threshold—Accept the default or define a scale in thresholdt.
- Scale Out Threshold—Accept the default or define a scale in threshold.
- Jumbo Frame—Disabled by default.
- Selectto view deployment status.AzureDeployments
- The Resource Group column displays resource groups the plugin has created.
- The firewall’s management interface uses the Firewall Access IP to connect to Panorama. You must whitelist this address to ensure that Panorama can connect with Panorama to get the needed configuration.If Panorama is deployed in a Public Cloud, make sure to add the Firewall Access IP to the Panorama security group.See Ports Used for Panorama to determine which ports you need to open to allow traffic.
- Open the link in theDeployment Statuscolumn for additional details for each stack.
- Hub-Stack—The Hub stack Public IP matches the Firewall Access IP in the deployment summary because the NAT gateway is the same for egress traffic from the deployment and the management traffic from the firewalls.All outbound and East-West traffic should be routed to theEgress Private IPfor inspection. You can direct traffic to this address if you configured UDRs.
- Inbound-Stack—The Private IP is the address on the Azure internal load balancer that fronts the firewalls. You can direct traffic to this address if you are configuring UDRs.
- Follow the links to view deployment information and Application Insights on Azure.
- The Deployment details can show Success, Warning, and Failure messages
- Configure inbound protection for backend TCP/UDP applications.The public load balancer that fronts the inbound firewall stack is the entry point for any back-end UDP or TCP applications. Add the following configuration to allow the plugin to manage the necessary load balancer and firewall configuration to route to your backend application.
- Selectand select your deployment.AzureDeployments
- Select theProtecttab and clickAdd.
- Supply the applicationNameand choose aProtocol.Enter the protection details:
- Frontend IP Type—Select one of New Public IP, Existing Frontend, and Existing Public IP.If you select Existing Frontend, theFrontend Namelists all known front ends on the load balancer.
- Resource Group—(Existing Public IP only)From the dropdown list, select the resource group where your desired frontend IP address exists.
- IP Name—(Existing Public IP only)Use to map IP to a frontend on the load balancer, configure the load balancer, and create a NAT rule.
- Frontend Port—Add the frontend port that should be configured to receive traffic on the public load balancer.
- Backend IP—Add the IP address of your backend application.