VM series WebApp sample - PaloAltoNetworks/azure GitHub Wiki
overview
this sample template demonstrates the use of a Palo Alto Networks virtualized firewall appliance in conjunction with a standalone NAT VM for the untrust interface as well as a web server and a DB server, each on separate networks, with the associated User Defined Routes (UDRs) to manage traffic flow.
an admin account with an associated password (or ssh-key) is created to facilitate management of the network elements. subsequent configuration of the VM-series firewall is required in order to establish connectivity for all hosts.
parameters
the following configuration parameters are configurable within the azureDeploy.parameters.json file.
adminUsername
Required: yes
Example: jdoe
Description: username for administrative accounts on all of the hosts within this deployment topology.
"adminUsername": {
"value": "<UserName for all VMs in this template, cannot be admin or root>"
},
adminPassword
Required: required if not using ssh-key
Example: Th!5s4mpl3st1nx
Description: The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following:
- Contains an uppercase character
- Contains a lowercase character
- Contains a numeric digit
- Contains a special character.
"adminPassword": {
"value": "<Password for all VMs>"
},
sshKeyData
Required: yes, if using ssh public-key authentication
Example: see below
Description:
this parameter should be used in conjunction with the associated ssh key template(s). the GEN-SSH-PUB-KEY placeholder in the template is for testing with the azure travis CI system. if you are utilizing ssh public key authentication for the VMs in this template you will need to generate a key pair and insert the public key contents in here.
additional info can be found at the following location:
"sshKeyData": {
"value": "ssh-rsa examplezaC1yc2EAAAADAQABAAABAQCt0Tnp9jYk1zwLMn7XAgz5k4+2tag3aOA5YKkyxEDxhEjsGuZG/0jh+vln2pWG4pkyPyrS+zp4EtYUeKfe1NmBUN3JaifYKFPpcp8m4zk24NKop5e88Oh6KeWjhSX/r5D/kpR1EZawymqRO0Uk5k+v4KL5r0f3Q/05lFFTcobWdl7zXld1gmyNl/1O7dgRwhATHUxTYMuSIoExA6dMueXX7doWDG/NoxOyF5dzjUUoI4PX4eLIlwHKCqy48wLVdsEA18w9oix4OXldRFCZ7DB3nnuZZmrCWmuMedXjw5Eg6CjrWYPwYmWvnF67ojhqXN3IecuQ7meFrOMe/exampleRR jdoe@hostname"
},
userImageStorageAccountName
Required: yes
Example: jdoevmseries01
"userImageStorageAccountName": {
"value": "<your storage account name: new/existing>"
},
dnsNameForFwPublicIP
Required: yes
Example: jdoevmseries01-fw-ext
"dnsNameForFwPublicIP": {
"value": "<Globally unique lowercase name for VM-Series eth0 (MGMT)>"
},
dnsNameForNATPublicIP
Required: yes
Example: jdoevmseries01-nat-ext
"dnsNameForNATPublicIP": {
"value": "<Globally unique lowercase name for NAT VM>"
},
fwVmName
Required: yes
Example: panw-vfw-71x
Description: this will be the name of the VM-series firewall in the Azure portal. visible in either the resource manager or virtual machines tabs.
"fwVmName": {
"value": "<Name of VM-Series in Azure portal>"
},
fwVmSize
Required: yes
Example:
Description: Azure VM specification. valid VMs for the VM-series firewall are as follows.
- Standard_A1
- Standard_A2
- Standard_A3
- Standard_A4
- Standard_D1
- Standard_D2
- Standard_D3
- Standard_D4
"fwVmSize": {
"value": "Standard_D3"
},
fromGatewayLogin
Required: yes
Example: 192.0.2.1 or 192.0.2.0/24
Description: IPv4 address or prefix range specified using CIDR notation specifying the source address for access to the management interface of the VM-series firewall.
Note(s):
if you do not want to restrict this access you may use a value of *, however, it is recommended that you restrict access to this interface to known management address ranges.
"fromGatewayLogin": {
"value": "<Your Source IP for Default NSG>"
},
IPAddressPrefix
Required: yes
Example: 192.168
Description: IPv4 prefix used to specify the address blocks used in the sample topology.
Note(s):
the following value corresponds to the subnets which have been allocated for the sample topology. you may use this value or modify this at your discretion.
"IPAddressPrefix": {
"value": "192.168"
}