I decided to take a bit of a deep dive into deploying Palo Alto firewalls in Azure. I would like to share my findings and some code to help get people started.

Deployment Type:

In Azure you have an architectural decision based on your familiarity with Azure services. Traditionally, a firewall would be deployed using the cloud providers load balancers and your preferred vendor’s VM. Palo Alto made this process a bit easier by obfuscating all those underlying resources into one main Azure resource called “Cloud NGFWs by Palo Alto Networks”. Here is an overview of the two options:

  1. Deploy a resource called “Cloud NGFWs by Palo Alto Networks”.

The advantage of this model is you don’t have to manage the Azure underlying resources, firewall version and scaling. It’s all done automatically for you. All you need to do is add your subnet default route to the internal VIP the resource gives you. You can also manage the firewall set with Panorama and the appropriate Azure plugin.

The disadvantage can also be you cannot control the underlying resources, scaling and license type. The license is purely pay as you go.

  1. Deploy the Palo Alto VM-Series and necessary resources.

The advantage can be you get to control all aspects of the deployment like the load balancers, firewall versions, licensing and scaling. You can utilize BYOL licensing, giving you the option of going with firewall credits. This can potentially save money.

The disadvantage is you have to manage a lot more and need existing Azure cloud experience.

The Code:

I created a few repos demonstrating using Terraform and an Azure ARM template.

  • Terraform - This will create option 2 above

https://github.com/jcdoes/azure-palo-ngfw

  • Azure ARM template - This will create option 1 above.

https://github.com/jcdoes/palo-ngfw-azure-arm-template

No comments