# Palo Alto HA Setup with Terraform (Stackit Cloud) This Terraform configuration sets up a new project inside your organisation with an SNA as described in the .tf file. Then two **Palo Alto Firewalls** in a **High Availability (HA)** setup on the **Stackit Cloud IaaS** layer will be deployed. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules. This is only example code, so please change for your needs ! --- ## ๐Ÿ› ๏ธ Key Concepts ### ๐Ÿ” High Availability (HA) Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units. ### ๐Ÿงท Port Security & VIPs - `port_security` **must be enabled** on interfaces where the **VIP** is active. - **Do not attach** the VIP IP to any server or instance! - VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces. --- ## โœ… Requirements - Terraform โ‰ฅ 1.3.x - [Stackit Terraform Provider](https://registry.terraform.io/providers/stackitcloud/stackit/latest) - Palo Alto VM-Series Images (pre-imported into the Stackit project) --- ## ๐Ÿ” Configuration Rules | Rule | Explanation | |---------------------------------------------------|-------------| | **Do NOT attach VIP IP to any VM** | The VIP is managed by the HA sync between the firewalls. | | **VIP must be set with `/32`** | CIDR ranges are not supported for allowed addresses. | | **VIP must be defined as `allowed_address_pair`** | On both firewalls where it can be active. | | **Port security must be enabled** | On interfaces holding the VIP. | | **Security groups must allow traffic for VIP** | If port security is enabled, define rules accordingly. | --- ## ๐Ÿšง Limitations & Notes - **VIP must not be attached to any instance** The floating IP (VIP) is managed entirely by the Palo Alto HA configuration. Do **not** associate this IP statically with any compute instance via Terraform. - **Only /32 allowed in `allowed_addresses`** You **must** specify the VIP as a `/32` IP (e.g., `10.220.131.30/32`) โ€” CIDR blocks (e.g., `/24`) are not supported and will be rejected or silently ignored. - **Routing issues if `allowed_addresses` are missing** If the VIP is not explicitly added to `allowed_addresses` on each port where it might be active, network traffic will fail silently due to missing neighbor/ARP entries. - **Security groups must explicitly allow VIP traffic** When using `port_security = true`, ensure that the correct **security group rules** allow inbound/outbound traffic for the VIP address. If omitted, traffic will be blocked. - **Interface networks must match on both firewalls** For a successful HA sync and failover, interfaces on both firewalls must be connected to the **same virtual networks** with matching roles (e.g., both `wan`, both `lan1`, etc.). - **No dynamic interface switching in Terraform** VIP failover happens on the firewall level. Terraform is **not** responsible for enabling/disabling interfaces โ€” make sure the Palo Alto HA config is correctly set up within the OS. - **HA Sync and Preemption is not handled by Terraform** The logic for state sync, failover, and preemption priorities must be configured manually in the firewall GUI or CLI. This project only provisions the infrastructure.