Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:vmseries:azure [2020/05/18 13:44] – created bstafford
+++ paloaltonetworks:vmseries:azure [2022/12/02 11:54] (current) – bstafford
@@ Line 1: / Line 1: @@
 ====== Azure ======
+===== Health Probes =====
+Azure Health Probes come from
+  * 168.63.129.16
 ===== Github Deployment =====
@@ Line 9: / Line 12: @@
 You can deploy Panorama on 4CPU/8GB RAM but it will be limited to Management Mode only. For Panorama mode, you need at least 8 CPU and 16 GB of RAM.
+In Azure for just managing 6 VM's, standard_D3_v2 should be sufficient if there is no logging happening. If you need Panorama in mixed mode, you must apply proper resource to the VM.
+HOWEVER, recent PAN-OS versions will complain every single time you log in to Panorama if you don't have 16 CPU and 32 GB of RAM. It will complain even if you have 8 CPU and 32 GB of RAM.
+Use ''D5_v2'' (or, as of Sep 2022, ''Standard_D16s_v3'' apparently) for the correct performance (16 CPU and 56 GB RAM). This will be ~£750 a month in Q4 2021. However Azure Reserved Instances is an Azure Accounting "thing" that can save end users month on machines that are permamently deployed.
+In June 2022, the reference archtiecture says to use Standard_D16s_v3.
+As of Sep 2022:
+  * D16_v3 is 16 CPU and 64 GB RAM and is about $675 per month to run (not including 'reserved instance')
+  * D5_v2 is 16CPU and 56 GB RAM and is about $1,025 per month to run (not including 'reserved instance')
 ===== Pay-As-You-Go =====
 As of 28th Feb 2018
@@ Line 37: / Line 51: @@
 In addition, the VM will have to use a storage account.I'm not sure if this is paid for separately.
-=Specifications=
+==== Specifications ====
   * Pay-As-You-Go VM-Series Bundle 2 = VM-300 + Premium Support + Threat Prevention + WildFire + URL Filtering + GlobalProtect
   * Pay-As-You-Go VM-Series Bundle 1 = VM-300 + Premium Support + Threat Prevention
@@ Line 50: / Line 64: @@
 The first time you buy the licences above, they come with a perpetual VM licence. This allows you to run the VM for ever. It also means that it is much cheaper to renew the licences as the renewal cost does not include the VM licence. The renewal cost only contains the support and feature licences.
+===== Load Balancer Health Probe =====
+Azure Health Probes target the firewall interface IP.
+The Azure LB health probe does not complete a 3 way handshake - just the SYN and the SYNACK. On tcp-80 this is identified as "incomplete". On tcp-22 this is identified as ssh. Palo Alto Networks suggest using tcp-22 as the CPU related issues seem to only occur when deploying in GCP.
+===== Deployment Notes =====
+For public load balancers, enable "Floating IP". For load balancers, "Floating IP" is not technically needed. All it gives you is that the firewalls will see the public IP that the remote resource is connecting to instead of the load balancer applying a DNAT. However, this can be very useful. It also makes it easier to scale when adding in new public IPs.
+REMEMBER. When adding a secondary IP to the front end load balancer, you must enable "Floating IP" before setting the backend pool and ports.
+Configure the firewall to update its domain based on the DHCP allocation.
+===== Azure IP Addresses =====
+Yes. Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet. x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.
+  * x.x.x.0: Network address
+  * x.x.x.1: Reserved by Azure for the default gateway
+  * x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
+  * x.x.x.255: Network broadcast address for subnets of size /25 and larger. This will be a different address in smaller subnets.