change readme

2025-05-13 10:16:36 +02:00 · 2025-05-13 10:16:36 +02:00 · 916e582c51
commit 916e582c51
parent 7f4784c237
1 changed files with 31 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -19,22 +19,44 @@ Two firewalls are deployed with identical network interfaces. A virtual IP (VIP)
 ## ✅ Requirements

 - Terraform ≥ 1.3.x
- Stackit Terraform Provider
+- [Stackit Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest)
 - Palo Alto VM-Series Images (pre-imported into the Stackit project)

 ---

-## 🔐 VIP Configuration Rules
+## 🔐 Configuration Rules

-| Requirement                        | Value / Note                                       |
-|------------------------------------|----------------------------------------------------|
-| Port Security Enabled              | ✅ `true` on VIP interfaces                        |
-| VIP Attachment                     | ❌ Do **not** attach VIP to any instance           |
-| Allowed Address Pair               | ✅ Add VIP with `/32` notation                     |
-| Allowed Address Format             | `10.220.131.30/32`                                 |
-| Security Group for VIP Interface   | ✅ Required if `port_security = true`              |
+| Rule                                              | Explanation |
+|---------------------------------------------------|-------------|
+| **Do NOT attach VIP IP to any VM**                | The VIP is managed by the HA sync between the firewalls. |
+| **VIP must be set with `/32`**                    | CIDR ranges are not supported for allowed addresses. |
+| **VIP must be defined as `allowed_address_pair`** | On both firewalls where it can be active. |
+| **Port security must be enabled**                 | On interfaces holding the VIP. |
+| **Security groups must allow traffic for VIP**    | If port security is enabled, define rules accordingly. |

 ---

+## 🚧 Limitations & Notes
+
+- **VIP must not be attached to any instance**  
+  The floating IP (VIP) is managed entirely by the Palo Alto HA configuration. Do **not** associate this IP statically with any compute instance via Terraform.
+
+- **Only /32 allowed in `allowed_addresses`**  
+  You **must** specify the VIP as a `/32` IP (e.g., `10.220.131.30/32`) — CIDR blocks (e.g., `/24`) are not supported and will be rejected or silently ignored.
+
+- **Routing issues if `allowed_addresses` are missing**  
+  If the VIP is not explicitly added to `allowed_addresses` on each port where it might be active, network traffic will fail silently due to missing neighbor/ARP entries.
+
+- **Security groups must explicitly allow VIP traffic**  
+  When using `port_security = true`, ensure that the correct **security group rules** allow inbound/outbound traffic for the VIP address. If omitted, traffic will be blocked.
+
+- **Interface networks must match on both firewalls**  
+  For a successful HA sync and failover, interfaces on both firewalls must be connected to the **same virtual networks** with matching roles (e.g., both `wan`, both `lan1`, etc.).
+
+- **No dynamic interface switching in Terraform**  
+  VIP failover happens on the firewall level. Terraform is **not** responsible for enabling/disabling interfaces — make sure the Palo Alto HA config is correctly set up within the OS.
+
+- **HA Sync and Preemption is not handled by Terraform**  
+  The logic for state sync, failover, and preemption priorities must be configured manually in the firewall GUI or CLI. This project only provisions the infrastructure.