Parameters in the Auto Scaling Templates for Azure

What are the inputs in each template in the auto scaling templates for the VM-Series on Azure?
This section describes the values you need to provide as input when you deploy the template resources that enable you to auto scale the VM-Series firewalls on Azure with your application workloads.

Infrastructure Template Parameters

Inputs for the infrastructure template are as follows:
  • Panorama Plugin Message Handler Name—The name of the Azure Function that will pass messages to the Panorama plugin for Azure. The Azure function URL will begin with this name.
  • Storage Account Type—Select the type you want to use.
  • Repo URL—The URL for the parent GitHub repository that hosts the templates. The location where Palo Alto Networks posts these templates is: https://github.com/PaloAltoNetworks/azure-autoscaling/tree/master/Version-1-0
  • Branch—leave as is.
  • Service Bus Name—The name of the Service Bus to which Panorama subscribes for notifications from Azure. The value must be between 6 and 50 characters long. This name has to be globally unique, must start and end with a letter or number, and can contain letters, numbers, and hyphens only.

Inbound Firewall Template Parameters

The inputs for the Inbound Firewall template vary depending on whether you are starting from scratch and are using the template for a greenfield deployment or you have an existing VNet with an Azure Application Gateway and want to deploy the VM-Series firewalls along with the associated subnets and internal load balancer for the VMSS.
Inputs for the Inbound Firewall template for a greenfield deployment are as follows:
  • Resource Group Name and Location—Create a new Resource group and pick a location.
  • App GatewayDns Name—A name for the Azure Application Gateway.
  • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format for example 199.16.5.122/32.
  • Fw Load Balancer IP: Enter an IP address from the Untrust subnet CIDR to assign to the Azure load balancer that fronts the firewall VMSS. The Azure Application Gateway will use this IP address to send traffic onward to the firewall. For example: 192.168.1.4
  • Deploy Into Existing Vnet—No
    A new VNet with all the components listed in the Inbound firewall template are deployed for you. See Auto Scaling on Azure - Components and Planning Checklist.
  • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template.
  • virtualNetworkAddressPrefix—For example: 192.168.0.0/21
  • mgmtSubnetPrefix—For example:192.168.0.0/24
  • untrustSubnetPrefix—For example: 192.168.1.0/24
  • trustSubnetPrefix—For example: 192.168.2.0/24
  • appGatewaySubnetPrefix: For example: 192.168.3.0/24
  • vmSeriesFirewallModel: BYOL or PAYG bundles
  • vmSeriesImageVersion: 8.1 or 9.0. See the Panorama plugin version information in the Compatibility Matrix.
    If you choose PAN-OS 9.0, you must install the VM-Series plugin on Panorama. See Auto Scaling on Azure - Components and Planning Checklist for details.
  • vmSeriesFirewallVmSize: Standard_D3_v2 (default). See VM instance types for minimum system requirements on the VM-Series firewall on Azure, and refer to Azure Virtual Machines for a list of instance types available for your region.
  • Username—Enter a username for logging in to the firewall web interface.
  • Authentication Type: password or SSH key
  • Bootstrap Storage Account—Enter the Name of the storage account.
  • Bootstrap Storage Account Access Key—Specify the storage account key.
  • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure.
  • bootstrapSharedDir—This directory name is optional.
  • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1
  • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1.
  • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring.
  • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function-handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE==
Inputs for the Inbound Firewall template for a brownfield deployment are as follows:
  • Resource Group Name and Location—Create a new Resource group and pick a location.
  • App GatewayDns Name—Leave the default value. In a brownfield deployment, this template assumes that you have already deployed the Application Gateway, so this value is not relevant.
  • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format for example 199.16.5.122/32.
  • Fw Load Balancer IP: Enter an IP address from the Untrust subnet CIDR to assign to the Azure load balancer that fronts the firewall VMSS. The Azure Application Gateway will use this IP address to send traffic onward to the firewall. For example: 192.168.1.4
  • Deploy Into Existing Vnet— Yes
  • virtualNetworkName—The name of the existing VNet in which you want to deploy the firewall VMSS resources.
  • virtualNetworkAddressPrefix—For example: 192.168.0.0/21
  • mgmtSubnetPrefix—For example:192.168.0.0/24
  • untrustSubnetPrefix—For example: 192.168.1.0/24
  • trustSubnetPrefix—For example: 192.168.2.0/24
  • appGatewaySubnetPrefix: Enter the subnet in which your Application Gateway is deployed. For example: 192.168.3.0/24
  • vmSeriesFirewallModel: BYOL or PAYG bundles
  • vmSeriesImageVersion: 8.1 or 9.0.
    If you choose PAN-OS 9.0, you must install the VM-Series plugin on Panorama. See Auto Scaling on Azure - Components and Planning Checklist for details.
  • vmSeriesFirewallVmSize: Standard_D3_v2 (default). See VM instance types for minimum system requirements on the VM-Series firewall on Azure, and refer to Azure Virtual Machines for a list of instance types available for your region.
  • Username—Enter a username for logging in to the firewall web interface.
  • Authentication Type: password or SSH key
  • Bootstrap Storage Account—Enter the Name of the storage account.
  • Bootstrap Storage Account Access Key—Specify the storage account key.
  • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure.
  • bootstrapSharedDir—This directory name is optional.
  • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1
  • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1.
  • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring.
  • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function-handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE==

Hub Template Parameters

Inputs for the Hub firewall template that enables you to secure outbound traffic and east-west traffic between the application tiers are as follows:
  • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template.
  • virtualNetworkAddressPrefix—
  • mgmtSubnetPrefix—
  • untrustSubnetPrefix—
  • trustSubnetPrefix—
  • Load Balancer IP—Enter an IP address from the Trust subnet CIDR. The Load balancer will use this IP address to send traffic to the trust interface on the firewall.
  • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format, for example: 199.16.5.122/32.
  • Bootstrap Storage Account—Enter the Name of the storage account.
  • Bootstrap Storage Account Access Key—Specify the storage account key.
  • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure.
  • bootstrapSharedDir—This directory name is optional.
  • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1
  • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1.
  • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring.
  • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
  • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function-handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE==

Application Template Parameters

The inputs for the App template are:
  • Connect to Hub: yes or no.
  • Hub Resource Group Name—Required only if yes. The name of the Resource Group that hosts the resources you deployed with the Hub Firewall template.
  • Hub VNET Name—Required only if yes. The name of the VNet that hosts the resources you deployed with the Hub Firewall template.
  • Hub Load Balancer IP—Required only if yes. This is the IP address that you had assigned to the load balancer when you launched the Hub Firewall template.
  • Application Load Balancer IP—Enter an IP address that belongs to the trust subnet. The application gateway that is in the Inbound Firewall Resource Group will use this IP address to send traffic to the firewall and then on to the application workloads.
  • Inbound Firewall Resource Group Name—
  • Inbound Firewall VNet Name—
  • virtualNetworkAddressPrefix—The CIDR of the VNet in which you want to deploy the resources in this template.
  • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template.
  • mgmtSubnetPrefix—
  • trustedSubnetPrefix—
  • backendSubnetPrefix—The subnet in which your application workloads are deployed.
  • username—To log in to the sample application server.
  • password—The password for the administrative user you entered above.

Recommended For You