changes
This commit is contained in:
parent
248f554aed
commit
7f4784c237
3 changed files with 97 additions and 7 deletions
25
04-attachment.tf
Normal file
25
04-attachment.tf
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
resource "stackit_server_network_interface_attach" "nic-attachment-lan1" {
|
||||||
|
project_id = module.project.project_info.project_id
|
||||||
|
server_id = stackit_server.paloalto_server.server_id
|
||||||
|
network_interface_id = stackit_network_interface.lan1.network_interface_id
|
||||||
|
depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1 ]
|
||||||
|
}
|
||||||
|
resource "stackit_server_network_interface_attach" "nic-attachment-lan2" {
|
||||||
|
project_id = module.project.project_info.project_id
|
||||||
|
server_id = stackit_server.paloalto_server.server_id
|
||||||
|
network_interface_id = stackit_network_interface.lan2.network_interface_id
|
||||||
|
depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "stackit_server_network_interface_attach" "nic-attachment-lan1_2" {
|
||||||
|
project_id = module.project.project_info.project_id
|
||||||
|
server_id = stackit_server.paloalto_server_2.server_id
|
||||||
|
network_interface_id = stackit_network_interface.lan1_2.network_interface_id
|
||||||
|
depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan2 ]
|
||||||
|
}
|
||||||
|
resource "stackit_server_network_interface_attach" "nic-attachment-lan2_2" {
|
||||||
|
project_id = module.project.project_info.project_id
|
||||||
|
server_id = stackit_server.paloalto_server_2.server_id
|
||||||
|
network_interface_id = stackit_network_interface.lan2_2.network_interface_id
|
||||||
|
depends_on = [ stackit_server_network_interface_attach.nic-attachment-lan1_2 ]
|
||||||
|
}
|
||||||
33
05-security-group.tf
Normal file
33
05-security-group.tf
Normal file
|
|
@ -0,0 +1,33 @@
|
||||||
|
resource "stackit_security_group" "paloalto" {
|
||||||
|
project_id = module.project.project_info["project_id"]
|
||||||
|
name = "test"
|
||||||
|
labels = {
|
||||||
|
"key" = "example"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "stackit_security_group_rule" "icmp_ingress" {
|
||||||
|
project_id = module.project.project_info["project_id"]
|
||||||
|
security_group_id = stackit_security_group.paloalto.security_group_id
|
||||||
|
direction = "ingress"
|
||||||
|
icmp_parameters = {
|
||||||
|
code = 0
|
||||||
|
type = 8
|
||||||
|
}
|
||||||
|
protocol = {
|
||||||
|
name = "icmp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
resource "stackit_security_group_rule" "icmp_egress" {
|
||||||
|
project_id = module.project.project_info["project_id"]
|
||||||
|
security_group_id = stackit_security_group.paloalto.security_group_id
|
||||||
|
direction = "egress"
|
||||||
|
icmp_parameters = {
|
||||||
|
code = 0
|
||||||
|
type = 8
|
||||||
|
}
|
||||||
|
protocol = {
|
||||||
|
name = "icmp"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
46
README.md
46
README.md
|
|
@ -1,8 +1,40 @@
|
||||||
1. terraform files for deploying two paloAlto Firewalls in a HA Setup
|
# Palo Alto HA Setup with Terraform (Stackit Cloud)
|
||||||
- important thing is to enable port_security on the interfaces which will hold the vip
|
|
||||||
- the interface with the VIP must not be attached to a server!
|
This Terraform configuration sets up two **Palo Alto Firewalls** in a **High Availability (HA)** setup on the **Stackit Cloud IaaS** layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.
|
||||||
- also the internal VIP IP has to be added as allowed_address, otherwise the move of the floating IP will not work.
|
|
||||||
It is not possible to a CIDR here. The IP must be set with /32.
|
---
|
||||||
- if you enable port_security also a security rule must be added with the relevant rules.
|
|
||||||
- the interfaces are added to the same network on firewall 1 and 2 for HA.
|
## 🛠️ Key Concepts
|
||||||
|
|
||||||
|
### 🔁 High Availability (HA)
|
||||||
|
Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.
|
||||||
|
|
||||||
|
### 🧷 Port Security & VIPs
|
||||||
|
- `port_security` **must be enabled** on interfaces where the **VIP** is active.
|
||||||
|
- **Do not attach** the VIP IP to any server or instance!
|
||||||
|
- VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## ✅ Requirements
|
||||||
|
|
||||||
|
- Terraform ≥ 1.3.x
|
||||||
|
- Stackit Terraform Provider
|
||||||
|
- Palo Alto VM-Series Images (pre-imported into the Stackit project)
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## 🔐 VIP Configuration Rules
|
||||||
|
|
||||||
|
| Requirement | Value / Note |
|
||||||
|
|------------------------------------|----------------------------------------------------|
|
||||||
|
| Port Security Enabled | ✅ `true` on VIP interfaces |
|
||||||
|
| VIP Attachment | ❌ Do **not** attach VIP to any instance |
|
||||||
|
| Allowed Address Pair | ✅ Add VIP with `/32` notation |
|
||||||
|
| Allowed Address Format | `10.220.131.30/32` |
|
||||||
|
| Security Group for VIP Interface | ✅ Required if `port_security = true` |
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue