Palo Alto Networks Cloud NGFW Module for Azure
A Terraform module for deploying Palo Alto Networks Cloud Next-Generation Firewalls (Cloud NGFW) in Azure. This module supports flexible configurations, allowing the creation of Cloud NGFW resources based on different attachment types and management modes. Additionally, the module provides options to create public IP addresses or use existing ones.
Usage
This module is designed to work in several modes depending on which variables or flags are set. Most common usage scenarios are:
- management_mode = "panorama" & attachment_type ="vnet" - deploys Cloud NGFW attached to a Virtual Hub in a Virtual WAN environment, managed via Panorama (using panorama_base64_config). Supports creation or referencing of public IP addresses for connectivity.
cloudngfws = {
"cloudngfw" = {
name = "cloudngfw"
attachment_type = "vnet"
management_mode = "panorama"
virtual_network_key = "cloudngfw-vnet"
cloudngfw_config = {
panorama_base64_config = "" # TODO: Put panorama connection string
}
}
}
- management_mode = "panorama" & attachment_type ="vhub" - deploys Cloud NGFW attached to a Virtual Hub in a Virtual WAN environment, managed via Panorama (using panorama_base64_config). Supports creation or referencing of public IP addresses for connectivity.
cloudngfws = {
"cloudngfw" = {
name = "cloudngfw"
attachment_type = "vhub"
management_mode = "panorama"
virtual_wan_key = "virtual_wan"
virtual_hub_key = "virtual_hub"
palo_alto_virtual_appliance_name = "cloudngfw-vhub-nva"
cloudngfw_config = {
panorama_base64_config = "" # TODO: Put panorama connection string
}
}
}
- management_mode = "rulestack" & attachment_type ="vnet" - deploys Cloud NGFW attached to a Virtual Network (VNet) with a local rulestack for policy management. Requires VNet-related parameters such as trusted and untrusted subnets, along with the rulestack ID.
cloudngfws = {
"cloudngfw" = {
name = "cloudngfw"
attachment_type = "vnet"
management_mode = "rulestack"
virtual_network_key = "cloudngfw-vnet"
trusted_subnet_key = "trusted"
untrusted_subnet_key = "untrusted"
cloudngfw_config = {
rulestack_id = "" # TODO: Put rulestack ID
}
}
}
- management_mode = "rulestack" & attachment_type ="vhub" - deploys Cloud NGFW attached to a Virtual Hub in a Virtual WAN environment, managed through a local rulestack. Includes options to create or reference public IP addresses.
cloudngfws = {
"cloudngfw" = {
name = "cloudngfw"
attachment_type = "vhub"
management_mode = "panorama"
virtual_wan_key = "virtual_wan"
virtual_hub_key = "virtual_hub"
palo_alto_virtual_appliance_name = "cloudngfw-vhub-nva"
cloudngfw_config = {
rulestack_id = "" # TODO: Put rulestack ID
}
}
}
Reference
Requirements
terraform, version: >= 1.5, < 2.0azurerm, version: ~> 4.19
Providers
azurerm, version: ~> 4.19
Resources
palo_alto_next_generation_firewall_virtual_hub_local_rulestack(managed)palo_alto_next_generation_firewall_virtual_hub_panorama(managed)palo_alto_next_generation_firewall_virtual_network_local_rulestack(managed)palo_alto_next_generation_firewall_virtual_network_panorama(managed)palo_alto_virtual_network_appliance(managed)public_ip(managed)public_ip(data)
Required Inputs
| Name | Type | Description |
|---|---|---|
name | string | The name of the Azure Cloud Next-Generation Firewall by Palo Alto Networks. |
resource_group_name | string | The name of the Resource Group to use. |
region | string | The name of the Azure region to deploy the resources in. |
attachment_type | string | Defines how the cloudngfw (Cloud NGFW) is attached. |
management_mode | string | Defines how the cloudngfw is managed. |
cloudngfw_config | object | Map of objects describing Palo Alto Next Generation Firewalls (cloudngfw). |
Optional Inputs
| Name | Type | Description |
|---|---|---|
tags | map | The map of tags to assign to all created resources. |
virtual_network_id | string | The ID of the Azure Virtual Network (VNET) to be used for connecting to cloudngfw. |
untrusted_subnet_id | string | The ID of the subnet designated for untrusted resources within the virtual network. |
trusted_subnet_id | string | The ID of the subnet designated for trusted resources within the virtual network. |
virtual_hub_id | string | The ID of the Azure Virtual Hub used for connecting various network resources. |
Outputs
| Name | Description |
|---|---|
palo_alto_virtual_network_appliance_id | The identifier of the created Palo Alto Virtual Network Appliance. |
Required Inputs details
name
The name of the Azure Cloud Next-Generation Firewall by Palo Alto Networks.
Type: string
resource_group_name
The name of the Resource Group to use.
Type: string
region
The name of the Azure region to deploy the resources in.
Type: string
attachment_type
Defines how the cloudngfw (Cloud NGFW) is attached.
- When set to
vnet, the cloudngfw is used to filter traffic between trusted and untrusted subnets within a Virtual Network. - When set to
vwan, the cloudngfw is used to filter traffic within the Azure Virtual WAN.
Type: string
management_mode
Defines how the cloudngfw is managed.
- When set to
panorama, the cloudngfw policies are managed through Panorama. - When set to
rulestack, the cloudngfw policies are managed through Azure Rulestack.
Type: string
cloudngfw_config
Map of objects describing Palo Alto Next Generation Firewalls (cloudngfw).
List of available properties:
plan_id- (string, optional, defaults topanw-cngfw-payg) the former plan_idpanw-cloud-ngfw-paygis defined as stop sell, but has been set as the provider default to not break any existing resources that were originally provisioned with it. Users need to explicitly set theplan_idtopanw-cngfw-paygwhen creating new resources.marketplace_offer_id- (string, optional, defaults topan_swfw_cloud_ngfw) the marketplace offer ID, changing this forces a new resource to be created.panorama_base64_config- (string, optional) the Base64-encoded configuration for connecting to Panorama server. This field is required whenmanagement_modeis set topanorama.rulestack_id- (string, optional) the ID of the Local Rulestack used to configure this Firewall Resource. This field is required whenmanagement_modeis set torulestack.create_public_ip- (bool, optional, defaults totrue) controls if the Public IP resource is created or sourced. This field is ignored when the variablepublic_ip_idsis used.public_ip_name- (string, optional) the name of the Public IP resource. This field is required unless the variablepublic_ip_idsis used.public_ip_resource_group_name- (string, optional) the name of the Resource Group hosting the Public IP resource. This is used only for sourced resources.public_ip_ids- (map, optional) a map of IDs for public IP addresses. Each key represents a logical identifier and the value is the resource ID of the public IP.egress_nat_ip_ids- (map, optional) a map of IDs for egress NAT public IP addresses. Each key represents a logical identifier and the value is the resource ID of the public IP.trusted_address_ranges- (list, optional) a list of public IP address ranges that will be treated as internal traffic by Cloud NGFW in addition to RFC 1918 private subnets. Each list entry has to be in a CIDR format.destination_nats- (map, optional) defines one or more destination NAT configurations. Each object supports the following properties:destination_nat_name- (string, required) the name of the Destination NAT. Must be unique within this map.destination_nat_protocol- (string, required) the protocol for this Destination NAT. Possible values areTCPorUDP.frontend_public_ip_address_id- (string, optional) the ID referencing the public IP that receives the traffic. This is used only when the variablepublic_ip_idsis utilized.frontend_port- (number, required) the port on which traffic will be received. Must be in the range from 1 to 65535.backend_ip_address- (string, required) the IPv4 address to which traffic will be forwarded.backend_port- (number, required) the port number to which traffic will be sent. Must be in the range from 1 to 65535.
Type:
object({
plan_id = optional(string, "panw-cngfw-payg")
marketplace_offer_id = optional(string, "pan_swfw_cloud_ngfw")
panorama_base64_config = optional(string)
rulestack_id = optional(string)
create_public_ip = optional(bool, true)
public_ip_name = optional(string)
public_ip_resource_group_name = optional(string)
public_ip_ids = optional(map(string))
egress_nat_ip_ids = optional(map(string))
trusted_address_ranges = optional(list(string))
destination_nats = optional(map(object({
destination_nat_name = string
destination_nat_protocol = string
frontend_public_ip_address_id = optional(string)
frontend_port = number
backend_ip_address = string
backend_port = number
})), {})
})
Optional Inputs details
tags
The map of tags to assign to all created resources.
Type: map(string)
Default value: map[]
virtual_network_id
The ID of the Azure Virtual Network (VNET) to be used for connecting to cloudngfw.
This variable is required when attachment_type is set to "vnet".
Type: string
Default value: &{}
untrusted_subnet_id
The ID of the subnet designated for untrusted resources within the virtual network.
This variable is required when attachment_type is set to "vnet".
Type: string
Default value: &{}
trusted_subnet_id
The ID of the subnet designated for trusted resources within the virtual network.
This variable is required when attachment_type is set to "vnet".
Type: string
Default value: &{}
virtual_hub_id
The ID of the Azure Virtual Hub used for connecting various network resources.
This variable is required when attachment_type is set to "vwan".
Type: string
Default value: &{}