Palo Alto HA Setup with Terraform (STACKIT Cloud)

This Terraform configuration sets up a new project inside your organisation with an SNA as described in the .tf file. Then two Palo Alto Firewalls in a High Availability (HA) setup on the STACKIT Cloud IaaS layer will be deployed. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules. This is only example code, so please change for your needs !

---

🛠️ Key Concepts

🔁 High Availability (HA)

Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.

🧷 Port Security & VIPs

• port_security must be enabled on interfaces where the VIP is active.
• Do not attach the VIP interface to any server or instance!
• VIP must be added as an allowed_address_pair on both firewalls' relevant interfaces.

---

✅ Requirements

• Terraform ≥ 1.3.x
• STACKIT Terraform Provider
• Palo Alto VM-Series Images (pre-imported into the STACKIT project)

---

🚧 Limitations & Notes

• VIP must not be attached to any instance
  The floating IP (VIP) is managed entirely by the Palo Alto HA configuration. Do not associate this IP statically with any compute instance via Terraform.

• Setting CIDRs in allowed_addresses
  You must specify the VIP as a /32 IP (e.g., 10.220.131.30/32) — CIDR blocks (e.g., /24) are not supported and will be rejected or silently ignored. You must specify the CIDR 0.0.0.0/0 as a second string, this is necessary for a working failover scenario.

• Routing issues if allowed_addresses are missing
  If the VIP is not explicitly added to allowed_addresses on each port where it might be active, network traffic will fail silently due to missing neighbor/ARP entries.

• Security groups must explicitly allow VIP traffic
  When using port_security = true, ensure that the correct security group rules allow inbound/outbound traffic for the VIP address. If omitted, traffic will be blocked.

• Interface networks must match on both firewalls
  For a successful HA sync and failover, interfaces on both firewalls must be connected to the same virtual networks with matching roles (e.g., both wan, both lan1, etc.).

• No dynamic interface switching in Terraform
  VIP failover happens on the firewall level. Terraform is not responsible for enabling/disabling interfaces — make sure the Palo Alto HA config is correctly set up within the OS.

• HA Sync and Preemption is not handled by Terraform
  The logic for state sync, failover, and preemption priorities must be configured manually in the firewall GUI or CLI. This project only provisions the infrastructure.

• floating IP switch only possible with GARP Important: The Floating IP will only work correctly after the move if a Gratuitous ARP (GARP) is sent out — this ensures that the IP-to-MAC binding is updated on neighboring network devices.