Palo Alto Networks VMSS Module for Azure
A terraform module for VMSS VM-Series firewalls in Azure.
NOTE \
Due to lack of proper method of running health probes against Pan-OS based VMs running in a Scale Set, the upgrade_mode property is hardcoded to Manual. For this mode to actually work the roll_instances_when_required provider feature has to be also configured and set to false. Unfortunately this cannot be set in the vmss module, it has to be specified in the root module.
Therefore, when using this module please add the following provider block to your code:
provider "azurerm" {
features {
virtual_machine_scale_set {
roll_instances_when_required = false
}
}
}
Usage
module "vmss" {
source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/vmss"
location = "Australia Central"
name_prefix = "pan"
password = "your-password"
subnet_mgmt = azurerm_subnet.subnet_mgmt
subnet_private = azurerm_subnet.subnet_private
subnet_public = module.networks.subnet_public
bootstrap_storage_account = module.panorama.bootstrap_storage_account
bootstrap_share_name = "inboundsharename"
vhd_container = "vhd-storage-container-id"
lb_backend_pool_id = "private-backend-pool-id"
}
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.2, < 2.0 |
| azurerm | ~> 3.25 |
Providers
| Name | Version |
|---|---|
| azurerm | ~> 3.25 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| azurerm_linux_virtual_machine_scale_set.this | resource |
| azurerm_monitor_autoscale_setting.this | resource |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name of the created scale set. | string | n/a | yes |
| location | Region to install VM-Series and dependencies. | string | n/a | yes |
| resource_group_name | Name of the existing resource group where to place the resources created. | string | n/a | yes |
| vm_size | Azure VM size (type) to be created. Consult the VM-Series Deployment Guide as only a few selected sizes are supported. | string | "Standard_D3_v2" | no |
| interfaces | List of the network interface specifications. NOTICE. The ORDER in which you specify the interfaces DOES MATTER. Interfaces will be attached to VM in the order you define here, therefore: The first should be the management interface, which does not participate in data filtering. The remaining ones are the dataplane interfaces. Options for an interface object: - name - (required|string) Interface name.- subnet_id - (required|string) Identifier of an existing subnet to create interface in.- create_pip - (optional|bool) If true, create a public IP for the interface- lb_backend_pool_ids - (optional|list(string)) A list of identifiers of an existing Load Balancer backend pools to associate interface with.- appgw_backend_pool_ids - (optional|list(String)) A list of identifier of the Application Gateway backend pools to associate interface with.- pip_domain_name_label - (optional|string) The Prefix which should be used for the Domain Name Label for each Virtual Machine Instance.Example: | list(any) | n/a | yes |
| username | Initial administrative username to use for VM-Series. | string | "panadmin" | no |
| password | Initial administrative password to use for VM-Series. | string | n/a | yes |
| ssh_keys | A list of initial administrative SSH public keys that allow key-pair authentication. If not defined the password variable must be specified.This is a list of strings, so each item should be the actual public key value. If you would like to load them from files instead, following method is available: | list(string) | [] | no |
| disable_password_authentication | If true, disables password-based authentication on VM-Series instances. | bool | true | no |
| encryption_at_host_enabled | See the provider documentation. | bool | null | no |
| overprovision | See the provider documentation. | bool | false | no |
| platform_fault_domain_count | See the provider documentation. | number | null | no |
| proximity_placement_group_id | See the provider documentation. | string | null | no |
| scale_in_policy | Which virtual machines are chosen for removal when a Virtual Machine Scale Set is scaled in. Either: - Default, which, baring the availability zone usage and fault domain usage, deletes VM with the highest-numbered instance id,- NewestVM, which, baring the availability zone usage, deletes VM with the newest creation time,- OldestVM, which, baring the availability zone usage, deletes VM with the oldest creation time. | string | null | no |
| scale_in_force_deletion | When set to true will force delete machines selected for removal by the scale_in_policy. | bool | false | no |
| single_placement_group | See the provider documentation. | bool | null | no |
| zone_balance | See the provider documentation. | bool | true | no |
| zones | The availability zones to use, for example ["1", "2", "3"]. If an empty list, no Availability Zones are used: []. | list(string) | | no |
| storage_account_type | Type of Managed Disk which should be created. Possible values are Standard_LRS, StandardSSD_LRS or Premium_LRS. The Premium_LRS works only for selected vm_size values, details in Azure docs. | string | "StandardSSD_LRS" | no |
| disk_encryption_set_id | The ID of the Disk Encryption Set which should be used to encrypt this Data Disk. | string | null | no |
| use_custom_image | If true, use custom_image_id and ignore the inputs username, password, img_version, img_publisher, img_offer, img_sku (all these are used only for published images, not custom ones). | bool | false | no |
| custom_image_id | Absolute ID of your own Custom Image to be used for creating new VM-Series. The Custom Image is expected to contain PAN-OS software. | string | null | no |
| enable_plan | Enable usage of the Offer/Plan on Azure Marketplace. Even plan sku "byol", which means "bring your own license", still requires accepting on the Marketplace (as of 2021). Can be set to false when using a custom image. | bool | true | no |
| img_publisher | The Azure Publisher identifier for a image which should be deployed. | string | "paloaltonetworks" | no |
| img_offer | The Azure Offer identifier corresponding to a published image. For img_version 9.1.1 or above, use "vmseries-flex"; for 9.1.0 or below use "vmseries1". | string | "vmseries-flex" | no |
| img_sku | VM-Series SKU - list available with az vm image list -o table --all --publisher paloaltonetworks | string | "byol" | no |
| img_version | VM-Series PAN-OS version - list available for a default img_offer with az vm image list -o table --publisher paloaltonetworks --offer vmseries-flex --all | string | n/a | yes |
| accelerated_networking | If true, enable Azure accelerated networking (SR-IOV) for all dataplane network interfaces. Requires PAN-OS 9.0 or higher. The PAN-OS management interface (nic0) is never accelerated, whether this variable is true or false. | bool | true | no |
| application_insights_id | An ID of Application Insights instance that should be used to provide metrics for autoscaling. Note, to avoid false positives this should be an instance dedicated to this VMSS. | string | null | no |
| autoscale_count_default | The minimum number of instances that should be present in the scale set when the autoscaling engine cannot read the metrics or is otherwise unable to compare the metrics to the thresholds. | number | 2 | no |
| autoscale_count_minimum | The minimum number of instances that should be present in the scale set. | number | 2 | no |
| autoscale_count_maximum | The maximum number of instances that should be present in the scale set. | number | 5 | no |
| autoscale_notification_emails | List of email addresses to notify about autoscaling events. | list(string) | [] | no |
| autoscale_webhooks_uris | Map where each key is an arbitrary identifier and each value is a webhook URI. The URIs receive autoscaling events. | map(string) | {} | no |
| autoscale_metrics | Map of objects, where each key is the metric name to be used for autoscaling. Each value of the map has the attributes scaleout_threshold and scalein_threshold, which cause the instance count to grow by 1 when metrics are greater or equal, or decrease by 1 when lower or equal, respectively.The thresholds are applied to results of metrics' aggregation over a time window. Example: | map(any) | {} | no |
| scaleout_statistic | Aggregation to use within each minute (the time grain) for metrics coming from different virtual machines. Possible values are Average, Min and Max. | string | "Max" | no |
| scaleout_time_aggregation | Specifies how the metric should be combined over the time scaleout_window_minutes. Possible values are Average, Count, Maximum, Minimum, Last and Total. | string | "Maximum" | no |
| scaleout_window_minutes | This is amount of time in minutes that autoscale engine will look back for metrics. For example, 10 minutes means that every time autoscale runs, it will query metrics for the past 10 minutes. This allows metrics to stabilize and avoids reacting to transient spikes. Must be between 5 and 720 minutes. | number | 10 | no |
| scaleout_cooldown_minutes | Azure only considers adding a VM after this number of minutes has passed since the last VM scaling action. It should be much higher than scaleout_window_minutes, to account both for the VM-Series spin-up time and for the subsequent metrics stabilization time. Must be between 1 and 10080 minutes. | number | 25 | no |
| scalein_statistic | Aggregation to use within each minute (the time grain) for metrics coming from different virtual machines. Possible values are Average, Min and Max. | string | "Max" | no |
| scalein_time_aggregation | Specifies how the metric should be combined over the time scalein_window_minutes. Possible values are Average, Count, Maximum, Minimum, Last and Total. | string | "Maximum" | no |
| scalein_window_minutes | This is amount of time in minutes that autoscale engine will look back for metrics. For example, 10 minutes means that every time autoscale runs, it will query metrics for the past 10 minutes. This allows metrics to stabilize and avoids reacting to transient spikes. Must be between 5 and 720 minutes. | number | 15 | no |
| scalein_cooldown_minutes | Azure only considers deleting a VM after this number of minutes has passed since the last VM scaling action. Should be higher or equal to scalein_window_minutes. Must be between 1 and 10080 minutes. | number | 2880 | no |
| tags | Map of tags to use for all the created resources. | map(string) | {} | no |
| bootstrap_options | Bootstrap options to pass to VM-Series instance. Proper syntax is a string of semicolon separated properties. Example: bootstrap_options = "type=dhcp-client;panorama-server=1.2.3.4" For more details on bootstrapping see documentation: https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components | string | "" | no |
| diagnostics_storage_uri | The storage account's blob endpoint to hold diagnostic files. | string | null | no |
Outputs
| Name | Description |
|---|---|
| scale_set_name | Name of the created scale set. |
Custom Metrics
Firewalls can publish custom metrics (for example panSessionUtilization) to Azure Application Insights to improve the autoscaling.
This however requires a manual initialization: copy the outputs metrics_instrumentation_key and paste it into your
PAN-OS webUI -> Device -> VM-Series -> Azure. This module automatically
completes solely the Step 1 of the official procedure.
If you manage the configuration from Panorama, this can be done in the same place, however the PAN-OS VM-Series plugin needs to be installed on both Panorama and VM-Series.
The metrics gathered within a single Azure Application Insights instance provided by the module, cannot be split to obtain back a result for solely a single firewall. Thus for example if three firewalls use the same Instrumentation Key and report their respective session utilizations as 90%, 20%, 10%, it is possible to see in Azure the average of 40%, the sum of 120%, the max of 90%, but it is not possible to know which of the firewalls reported the 90% utilization.