professional-service-best-practices/terraform-paloalto-ha
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
6 commits 1 branch 0 tags 54 KiB
HCL 100%
Find a file
Michael Sodan 7f4784c237 changes
2025-05-13 10:03:37 +02:00
project changes 2025-05-12 12:09:04 +02:00
.gitignore changes 2025-05-09 13:57:02 +00:00
00-provider.tf changes 2025-05-09 13:57:02 +00:00
01-network.tf changes 2025-05-12 12:09:04 +02:00
02-paloalto-image.tf fix project id 2025-05-12 11:27:56 +02:00
03-paloalto_appliance.tf fix project id 2025-05-12 11:27:56 +02:00
04-attachment.tf changes 2025-05-13 10:03:37 +02:00
05-security-group.tf changes 2025-05-13 10:03:37 +02:00
99-variables.tf changes 2025-05-12 12:09:04 +02:00
README.md changes 2025-05-13 10:03:37 +02:00

README.md

Palo Alto HA Setup with Terraform (Stackit Cloud)

This Terraform configuration sets up two Palo Alto Firewalls in a High Availability (HA) setup on the Stackit Cloud IaaS layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.

๐Ÿ› ๏ธ Key Concepts

๐Ÿ” High Availability (HA)

Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.

๐Ÿงท Port Security & VIPs

  • port_security must be enabled on interfaces where the VIP is active.
  • Do not attach the VIP IP to any server or instance!
  • VIP must be added as an allowed_address_pair on both firewalls' relevant interfaces.

โœ… Requirements

  • Terraform โ‰ฅ 1.3.x
  • Stackit Terraform Provider
  • Palo Alto VM-Series Images (pre-imported into the Stackit project)

๐Ÿ” VIP Configuration Rules

Requirement Value / Note
Port Security Enabled โœ… true on VIP interfaces
VIP Attachment โŒ Do not attach VIP to any instance
Allowed Address Pair โœ… Add VIP with /32 notation
Allowed Address Format 10.220.131.30/32
Security Group for VIP Interface โœ… Required if port_security = true