The VM-Series & Azure Application Gateway template launches all the resources you need to deploy and secure your web workloads for Internet facing deployments on Microsoft Azure. This section provides details on how to deploy the template, configure the firewalls to route and secure traffic destined to the web servers, and extend the capabilities and resources that this template provides to accommodate your deployment needs.
Deploy the Template to Azure
Use the following instructions to deploy the template to Azure.
Deploy the Template to Azure
Deploy the template. Access the template from https://github.com/PaloAltoNetworks/azure-application gateway Click Deploy to Azure. Fill in the details for deploying the template. See VM-Series and Azure Application Gateway Template Parameters for a description and the default values, if any, for each parameter. At a minimum, you have to pick the Azure Subscription, Resource Group, Location, Storage Account Name, and a Username/password or SSH Key for the administrative account on the VM-Series firewalls. Click Purchase to accept the terms and conditions and deploy the resources. If you have validation errors, click to view the details and fix your errors. On the Azure portal, verify that you have successfully deployed the template resources, including the VM-Series firewalls. Select Dashboard >Resource Groups, select the resource group. Select Overview to review all the resources that have been deployed. The deployment status should display Succeeded.
Note the Public IP address or the DNS name assigned to eth0-VM-Series0 and eth0-VM-Series1 to access the management interface of the VM-Series firewalls.
Log in to the firewalls. Using a secure connection (https) from your web browser, log in to the IP address for eth0-VM-Series0 or the DNS name for the firewall. Enter the username/password you defined in the parameters file. You will see a certificate warning; that is okay. Continue to the web page.
Configure the VM-Series firewall. You can either configure the firewall manually or import the Sample Configuration File provided in the GitHub repository and customize it for your security needs. To configure the firewall manually, you must do the following at a minimum: Configure the dataplane network interfaces as Layer 3 interfaces on the firewall ( Network > Interfaces > Ethernet). Add a static rule to the virtual router on the firewall. This static rule specifies the firewall’s untrust interface IP address as the nexthop address for any traffic destined for ethernet1/1. ( Network > Virtual Routers, select the router and click Static Routes). Create security policy rules ( Policies > Security) to allow inbound and outbound traffic on the firewall. Add NAT policies ( Policies > NAT). You must create destination NAT and source NAT rules on the firewall to send traffic to the web servers and back out to the client who initiated the request. The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface. This rule is required to translate the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and on to the backend web servers. The source NAT rule is for all traffic from the backend web server and destined to the untrust interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall Commit your changes.
To import the sample configuration file: Download and save the Sample Configuration File to your local client. Select Device > Setup > Operations, click Import named configuration snapshot, Browse to the sample configuration file that you have saved locally, and click OK. Click Load named configuration snapshot, select the Name of the sample configuration file you just imported, and click OK. Change the IP address of the address objects and the static route to match the IP address from the CIDR block you used. Click Commit to overwrite the running configuration with the sample configuration you just imported. When you commit, the hostname and the administrator user account that you specified when deploying the template will be overwritten. You must create a new admin user account and delete the pandemo admin account that is provided in the template. Create a new admin user account. Select Device > Administrators and Add a new account. Modify the Hostname in the General Settings widget in Device > Setup > Management. Commit your changes, and log out. Log in to the firewall using the credentials you created, and delete the pandemo admin account.
Log in and configure the other instance of the VM-Series firewall. See Configure the VM-Series firewall.
Verify that you have configured the firewalls properly. From your web browser, use http to access the IP address or DNS name for the app gateway. You should be able to view the default Apache 2 Ubuntu web page.
If you have used the sample configuration firewall, log in to the fireewall and view the Traffic logs generated on session start in Monitor > Logs > Traffic.
VM-Series and Azure Application Gateway Template Parameters
The following table lists the required and optional parameters and the default values, if any.
Parameter Description
Resource group Create new or use existing (no default).
Subscription The type of Azure subscription you will use to cover the cost of the resources deployed with the template.
Location Select the Azure location to which you want to deploy the template (no default).
Network Security Group
Network Security Group Name The network security group limits the source IP addresses from which the VM-Series firewalls and web servers can be accessed. Default: nsg-mgmt
Network Security Group Inbound Src IP The source IP addresses that can log in to the management port of the VMs deployed by the template. The default value 0.0.0.0/0 means you can log into the firewall management port from any IP address.
Storage Account
Storage Account Name Create new or enter the name of an existing Storage Account (no default). The name must be globally unique.
Storage Account Type Choose between standard and premium storage and your data replication needs for local redundancy, geo-redundancy, and read-access geo-redundancy. The default option is Locally Redundant Storage (LRS). The other options are Standard GRS, Premium LRS, and Standard RAGRS.
VNet
Virtual Network Create new or enter the name of an existing VNet. The default name for the VNet is vnet-FW
Virtual Network Address Prefix 192.168.0.0/16
Azure Application Gateway
App Gateway Name myAppGw
App Gateway DNS Name Enter a globally unique DNS name for the Azure Application Gateway.
App Gateway Subnet Name and Prefix Default name is AppGWSubnet and the subnet prefix is 192.168.3.0/24.
Azure Load Balancer and Web Servers
Internal Load Balancer Name myPrivateLB
Internal Load Balancer Subnet Name and Prefix Default name is backendSubnet and the subnet prefix is 192.168.4.0/24.
Backend Vm Size The default size is Standard tier D1 Azure VM. Use the drop-down in the template to view the other Azure VM options available for the backend web servers.
Firewalls
Firewall Model Choose from BYOL or PAYG (bundle 1 or bundle 2, each bundle includes the VM-300 and a set of subscriptions).
Firewall Vm Name and Size The default name for the firewall is VM-Series, and the default size is Standard tier D3 Azure VM. Use the drop-down in the template to view the other Azure VM options available for the VM-Series firewalls
Mgmt Subnet Name and Prefix The management subnet for the VM-Series firewalls and the web servers deployed in this solution. Default name is Mgmt and the subnet prefix is 192.168.0.0/24.
Mgmt Public IP Address Name Enter a hostname to access the management interface on each firewall. The names must be globally unique.
Trusted Subnet Name and Prefix The subnet to which eth1/1 on the VM-Series firewall is connected; this subnet connects the VM-Series firewall to the Azure Application gateway. The firewall receives web traffic destined to the web servers on eth1/1. Default name is Trust and the subnet prefix is 192.168.2.0/24.
Untrusted Subnet Name The subnet to which eth1/2 on the VM-Series firewall is connected. The firewall receives return and outbound web traffic on this interface. Default name is Untrust and the subnet prefix is 192.168.1.0/24. The name must be globally unique.
Username Enter the username for the administrative account on the VM-Series firewalls and the web servers.
Authentication Type You must either enter a password for authentication or use an SSH public key (no default).
Sample Configuration File
To help you get started, the GitHub repository contains a sample configuration file named appgw-sample.xml that includes the following rules/objects:
Address objects —Two address objects, firewall-untrust-IP and internal-load-balancer-IP, which you will need to modify to match the IP addresses in your setup. Static route —The default virtual router on the firewall has a static route to 192.168.1.1, and this IP address is accurate if you use the default template values. If you have changed the Untrust subnet CIDR, you’ll need to update the IP address to match your setup. All traffic coming from the backend web servers, destined for the application gateway, uses this IP address as the next hop for delivering packets to the untrust interface on the firewall. NAT Policy Rule —The NAT policy rule enables destination NAT and source NAT. The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface (ethernet1/2), which is the firewall-untrust-IP address object. This rule translates the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and thus to the backend web servers. The source NAT rule is for all traffic from the backend web server and destined to the untrust network interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall (ethernet1/2). Security Policy Rule —Two Security policy rules are defined in the sample configuration file. The first rule allows all inbound web-browsing traffic and generates a log at the start of a session on the firewall. The second rule blocks all other traffic and generates a log at the start and end of a session on the firewall. You can use these logs to monitor all traffic to the web servers in this deployment. Administrative User Credentials — The sample configuration file includes a username and password for logging in to the firewall, which is set to pandemo/demopassword. After you import the sample configuration, you must either change the password and set it to a strong, custom password or create a new administrator account and delete the pandemo account.
Adapt the Template
As your needs evolve, you can scope your capacity needs and extend the template for your deployment scenario. Here are some ways you can build on the starter template to meet your planned capacity needs:
Deploy additional VM-Series firewalls behind the Azure Application Gateway. You can manually install more VM-Series firewalls into the same Availability Set or launch a new Availability Set and manually deploy additional VM-Seri es firewalls. Configure the VM-Series firewalls beyond the basic configuration provided in the sample configuration file in the GitHub repository. Enable HTTPS load balancing (SSL offload) on the Azure Application Gateway. Refer to the Azure documentation for details. Add or replace the sample web servers included with the template.

Related Documentation