Palo Alto VM-Series with active/passive HA support in Azure

Since the latest release of Palo Alto Network PAN-OS 9.0.0 the VM-Series firewall now supports the VM-Series plugin, a built-in-plugin architecture for integration with public clouds or private cloud hypervisors, with the plugin you can now configure VM-Series firewalls with active/passive high availability (HA) in Azure. I will cover some of the requirements in short which is needed to setup HA in Azure.

How this work is that you will need to deploy both firewalls within the same Azure Resource Groups. Bear in mind, if you deploy your first instance using Azure Marketplace you will need to use a custom ARM template for deploying the second instance because Azure does not allow or support the ability to deploy from Azure Marketplace to a Resource Group that is not empty.

You will also need to setup floating IP addresses in Azure to ensure uptime in an HA configuration. With floating IP address, it can quickly move the IP address from the active firewall to the passive firewall during failover. You will also need HA links – a control link and data link to synchronize data and maintain state information between the peers for the passive firewall to seamlessly secure traffic as soon as it becomes the active peer.

There are a few more prerequisites that is needed for configuration of high availability on the VM-Series firewalls on Azure to work. The firewall will need to interact with Azure APIs, which will require you to create an Azure Active Directory Service Principal, to do this you need to have permission to register an application with your Azure AD tenant and assign the application to a role in your subscription.

Palo Alto - VM-Series

PAN-OS 9.0 screenshot of the VM-Series plugin selected under Device tab, displays the public cloud hosting the VM-Series firewall (Azure) with the available configuration settings for the plugin (HA).

 

A feature like this could be useful in cases where you need to maintain availability of your services during maintenance such as software update in Palo Alto VM-Series firewall, with HA configured you can patch and update one peer at the time without having any downtime to your environment.

More information and setup guides can be found on Palo Alto Networks

If you have any question, feel free to email me at jimmy.dao@xenit.se or comment down below.

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.