Deploying CNGFW in Azure - VNet

This project will work us through deploying Palo Alto in Azure. We’ll be deploying this using the Hub and Spoke model and also managing policies via Panorama.

We’ll look at the VWan deployment in another project as this is another deployment model in Azure.

Pre-requisite

Certain things needs to be in place to enable you complete this project.

A Palo Alto Customer Support Account.
An Azure account
Some knowledge of Terraform
Intermediate knowledge of Azure, especially around networking
A GitHub account and some knowledge of GitHub Actions
Azure CLI

Some concepts

Hub and Spoke Architecture

Hub and Spoke Architecture is a design model often used in network systems, data management, logistics, and enterprise architecture. It’s structured around a central “hub” that connects to multiple “spokes” (peripheral systems, locations, or processes).

Advantages ✅	Disadvantages 🛑
Centralised control and management	Single point of failure at the hub
Simplifies security and monitoring	Potential bottlenecks
Easier maintenance and upgrades in the hub	Higher latency for inter-spoke communication (must go through hub)

Table 1: Some pros and cons of Hub and Spoke architecture. See What is a Hub-and-Spoke Network and xx blog for some more info on the subject.

What we will build?

CNGFW Hub & Spoke Architecture

Img 1: Final project architecture

Summary

At the end of this project we would have deployed the following

2 resource groups
3 virtual networks
2 virtual machines
1 Panorama server
1 Jumpbox virtual machine
3 Public IPs
2 Route tables

Deployment Phases

Setup CI/CD pipeline in Git/GitHub
Deploy the networking components
Deploy the management components
- Register the management component
Deploy CNGFW resource
Update networking components (network path)
Configure CNGFW for inbound/outbound flow
Wrap up and clear down resources

Setup CI/CD pipeline

ℹ️ Watch out for more updates coming soon