Deploy F5 and PaloAlto in Azure with this demo

Summary

This demo will build a new environment in Azure with a demo app, to show traffic protected via PaloAlto firewalls and F5 BIG-IP, both set up in HA failover using Azure Load Balancer.

Background

Recently a customer came to me with these requirements.

1. They want to use PaloAlto firewalls in a High Availability (HA) set up in Azure
2. They want to use BIG-IP, also in HA
3. They want the ability to have East-West traffic traverse their PaloAlto firewalls
4. They do not want to be forced to Source NAT (SNAT) traffic to their application servers

I put this demo together to show how to meet this for them.

Architecture

This demo will build out the architecture pictured below:

Demo

You can deploy the architecture above yourself by following the instructions on this demo.

Conclusion

There are a few important takeaways here:

1. You can use a single internal Azure Load Balancer with 2x FrontEnd IP's and 2x BackEnd pools to achieve front-end and back-end loadbalancing for devices.
2. Health checks here must be considered. You can see my VIP called "health check" to see why it's important to account for the health probes from Azure Load Balancers.
3. This is not a PaloAlto support document, but it is possible to use an Internal Load Balancer and and External Load Balancer at the same time. You must use 2 Virtual Routers to achieve this.

Any questions, please leave a comment! Thanks!