This template was created to support the deployment of a 3 interface Palo Alto Networks firewall into an existing Microsoft Azure environment that has the following items already deployed:
- Azure Virtual Network - with at least 3 subnets
- Resource Group for Firewall (or created at time of deployment)
- The firewall deploys with 3 interfaces. 1 MGMT (with Public IP) and 2 data plane into an existing environment.
- It is possible to choose the version of software the firewall is running. 7.1 or 8.0 (Latest)
- The deployment SKU can also be choosen during deployment. BYOL, Bundle1 or Bundle2 are the available options.
- Static IP addresses assignment is used for all the firewall interfaces.
The following Storage Account types are supported for Managed Disks:
- Standard_LRS
- Premium_LRS
- StandardSSD_LRS
The following VM sizes are supported:
- Standard_D3
- Standard_D4
- Standard_D3_v2
- Standard_D4_v2
- Standard_A4
- Standard_DS3_v2
- Standard_DS4_v2
When deploying, specify the password in SecureString format (PowerShell only), or by using Key Vault (PowerShell and CLI).
$secPassword = ConvertTo-SecureString -String "a-strong-password" -AsPlainText -Force
New-AzureRmResourceGroupDeployment -ResourceGroupName rg-firewall -TemplateFile .\azuredeploy.json `
-TemplateParameterFile .\azuredeploy.parameters.json -adminPassword $secPassword -VerboseFor CLI, the password must be stored as a secret in Azure Key Vault. See Azure Docs. Then deploy as normal:
az group deployment create --name exampledeployment --resource-group rg-firewall \
--template-file azuredeploy.json --parameters @azuredeploy.parameters.json[2018-07-17]
- Removed references to Storage Accounts in this README.md
- Removed "-preview" from the schema URL and corrected it to point to Parameters schema.
- Removed Storage Account from parameters and template file, and added managedDiskType parameter.
- Removed apiVersion variable as its only used once and some tools (VSCode) complain about the value.
- Removed virtualNetworkAddressPrefix parameter. It is not used.
- Removed Subnet variable, it is not used. Also, this template requires an existing VNET and Subnets.
- Changed compute api version to 2018-06-01. Updated network api to 2017-10-01.
- Removed the defaultValue of the VNET from 192.168.0.0/16, it is not used.
- Removed SubnetPrefix parameters and nsgName parameters, not used.
- Changed nicName variable from "eth" to "Nic" since a single NIC could have multiple IP configs (eth0, eth1)
- Changed NIC names to be more descriptive instead of using numbers (0,1,2)
- Changed publicIPAddressName to use variables in Resource section to avoid mistakes if users enter upper case characters (not allowed)
- Changed OS disk size to 63 (from 60), to align with S6/P6 Managed Disk SKU.
- Minor formatting and corrections to README.md (like 3 interfaces instead of 4)
- Best Practice: Added tags to all resources.
- Best Practice: Re-arranged key/value pairs in Resources section to align with Azure Docs (name, type, apiVersion, etc.) and for consistency.
- Best Practice: Added an Availability Set. Even with 1 VM, since you can't add this later and it is not billed anyway.
- Best Practice: Added a Resouce Lock to prevent accidental deletion of the firewall since this type of device is usually considered critical.
End