Use Case: Deploy the VM-Series Firewall in Different Availability Zones in Azure

Where Can I Use This?	What Do I Need?
Microsoft Azure Microsoft Azure Stack Azure® Marketplace	VM-Series License (PAYG or BYOL) VM-Series plugin Panorama Panorama plugin for Azure

This page helps you to deploy the VM-Series firewall in different availability zones in Azure. This VM-Series setup protects your virtual network from availability zone outages.

Deploy the VM-Series firewall in different availability zones using the azureDeploy.json ARM template. You can edit this template as per your network architecture.

This template deploys the following into a new or existing VNET with 4 subnets:

2 x VM-Series firewalls

• 3 x Interfaces
  • management: <fw_name>-nic0
  • dataplane1: <fw_name>-nic1
  • dataplane2: <fw_name>-nic2
• Managed Disks
  • BYOL/Bundle1/Bundle2 License
  • (Optional) Accelerated Networking
  • (Optional) Bootstrap Capable
  • (Optional) Public IPs for interfaces:
    • management: <fw_name>-nic0-pip
    • dataplane1: <fw_name>-nic1-pip

2 x Networking Security Groups

• management: <nsg_name>-mgmt
• dataplane: <nsg_name>-data

1 x Standard SKU Public Load Balancer

• Backend Pool: <fw1_name>-nic1 & <fw2_name>-nic1

1 x Standard SKU Internal Load Balancer with HA ports

• Backend Pool: <fw1_name>-nic2 & <fw2_name>-nic2

By default, the template uses the deployment resource group as the location of the VNET. If the VNET is in a different resource group, the resource group must be specified at deployment time. When deploying a new VNET into a different resource group, the resource group must exist before deployment.

1. Clone the Palo Alto GitHub repo for Azure templates.
2. Download and save the azureDeploy.json ARM template to a local client in Azure.
3. Log in to Azure CLI:

   az login

4. Create a resource group in Azure to deploy the VM-Series firewall in a new resource group.
5. Edit the azureDeploy.parameters.json template to modify the parameter values for your deployment.
6. You can deploy the template resources in the Azure cloud in either of the two ways:

   1. Use the Deploy to Azure (Button) for a custom deployment template.
   2. Deploy manually in the resource group that you created:

      az deployment group create \
      --name <DeploymentName> \
      --resource-group <YourResourceGroupName> \
      --parameters '@<path-to-template-parameter-azureDeploy.json>'

7. Verify the VM-Series firewall deployment under Azure Resource groups, or using the Azure CLI:

   az deployment group show <YourResourceGroupName>

8. Configure the firewall as a VNet gateway to protect your Internet-facing deployment.

   1. Log in to the management interface IP address on the firewall.
   2. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (NetworkInterfacesEthernet).
   3. Add static rules to the virtual router on the firewall. To route traffic through the firewall in this example, you need three static routes on the firewall (NetworkVirtual Routers, select the router and click Static Routes):

      1. Route all outbound traffic through the UnTrust zone, ethernet1/1 to the Azure router at 192.168.1.1.
      2. Route all inbound traffic destined to the web server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
      3. Route all inbound traffic destined to the database server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
   4. Create security policy rules (PoliciesSecurity) to allow inbound and outbound traffic on the firewall. You also need security policy rules to allow appropriate traffic from the web server subnet to the database server subnet and vice versa.
   5. Commit the changes on the firewall.
   6. Verify that the VM-Series firewall is securing traffic (MonitorLogsTraffic).