Deploy F5 and PaloAlto in Azure with this demo
This demo will build a new environment in Azure with a demo app, to show traffic protected via PaloAlto firewalls and F5 BIG-IP, both set up in HA failover using Azure Load Balancer.
Recently a customer came to me with these requirements.
- They want to use PaloAlto firewalls in a High Availability (HA) set up in Azure
- They want to use BIG-IP, also in HA
- They want the ability to have East-West traffic traverse their PaloAlto firewalls
- They do not want to be forced to Source NAT (SNAT) traffic to their application servers
I put this demo together to show how to meet this for them.
This demo will build out the architecture pictured below:
You can deploy the architecture above yourself by following the instructions on this demo.
There are a few important takeaways here:
- You can use a single internal Azure Load Balancer with 2x FrontEnd IP's and 2x BackEnd pools to achieve front-end and back-end loadbalancing for devices.
- Health checks here must be considered. You can see my VIP called "health check" to see why it's important to account for the health probes from Azure Load Balancers.
- This is not a PaloAlto support document, but it is possible to use an Internal Load Balancer and and External Load Balancer at the same time. You must use 2 Virtual Routers to achieve this.
Any questions, please leave a comment! Thanks!