Deploys a security stack where PaloAlto firewalls are internet-facing, and F5 BIG-IP's perform application services in a second tier. Uses marketplace (PAYG) images so that license keys or eval keys are not required, but production or long-term use cases can edit the templates as desired to use BYOL licenses and license keys.

• Architecture
• Instructions to deploy
• High Availability
• Notes
• Advanced technical details for this demo
• Support

To deploy via the web interface, click the button below.

When the deployment is finished and you have waited about 10 mins for the PaloAlto VM's to complete their bootstrap process you can visit the URL of the application. Click on your Resource Group, then Deployments, then the Deployment you made, and it's Outputs. You should see a screen like below:

To deploy via Powershell, download the file Deploy_via_Powershell.ps1 and run a command similar to the following: .\Deploy_via_PS.ps1 -adminUsername azureuser -password MY-PASSWORD -dnsLabel SOME-UNIQUE-VALUE -resourceGroupName YOUR-RESOURCE-GROUP -region REGION

When the deployment is finished and you have waited about 10 mins for the PaloAlto VM's to complete their bootstrap process you can visit the URL of the application. You should see a screen like below:

This set of templates will automatically configure HA via Azure Load Balancers.

• The supported templates from F5 will configure HA via a Load Balancer, or via API. For this demo, I started with this supported template from F5 which configures HA via Load Balancer, and I made a few modifications to the VNET to allow for the PaloAlto VM's to be deployed.

• Do not use special/uppercase characters for your resource group name using the "deploy to Azure" button. Only lowercase and numbers.
• Restricted source address should be in the IP/CIDR Mask format.
• The Palo Alto VMs deployed requires a default Azure subscription to increase quotas for "Regional Cores" from 10 to at least 18.
• This set of templates will deploy F5 BIG-IP and PaloAlto VM-Series images from marketplace images. This means you will be charged on a PAYG basis.
• To build templates for PaloAlto VMs, I have started with a sample from PaloAlto's examples here and made some modifications to deploy 2 VMs with external and internal load balancers, as well as bootstrap the devices.
• To build templates for F5 VM's, I have started with the supported F5 template here but made some modifications to this template in order to build out a full demo environment.

• PaloAlto have a reference architecture guide for Azure published here.
• PaloAlto VM's can be bootstrapped by configuring the CustomData field in the ARM template, which contains the details of an Azure file share that contains special configuration files. The instructions for this from PaloAlto are here.
  • The major hurdle to this is the requirement of an existing Storage Account configured with a Files service (not a Blob service) that is required by PaloAlto VM's.
  • In order to access an Azure file server, you must use a Storage Account Key. You might prefer to pre-create a Storage Account with pre-defined configuration files for this task, but you would then be required to store a Storage Account Key in the code (or demo instructions) of your repo - a bad practice, even if the files are intended to be public facing.
  • To overcome the above problem, this demo creates a StorageAccount as part of this template, and then runs an azcopy command in an Azure container to copy the files required into the storage account. I followed this helpful guide to do this, and then had my container run multiple commands using syntax I learned here.
  • The above steps are not recommended for production deployments, but it facilitates a demo deployment with a single click to deploy.
• F5 devices can be bootstrapped using declarative API's from the F5 Automation Toolchain family. In this case, we declare a configuration via a JSON-formatted declaration that is hosted here.

This template has been developed for example and demonstration purposes. Please submit an issue via GitHub if you would like a feature added or have problems deploying this yourself.