1.6 KiB
1.6 KiB
Palo Alto HA Setup with Terraform (Stackit Cloud)
This Terraform configuration sets up two Palo Alto Firewalls in a High Availability (HA) setup on the Stackit Cloud IaaS layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.
๐ ๏ธ Key Concepts
๐ High Availability (HA)
Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.
๐งท Port Security & VIPs
port_securitymust be enabled on interfaces where the VIP is active.- Do not attach the VIP IP to any server or instance!
- VIP must be added as an
allowed_address_pairon both firewalls' relevant interfaces.
โ Requirements
- Terraform โฅ 1.3.x
- Stackit Terraform Provider
- Palo Alto VM-Series Images (pre-imported into the Stackit project)
๐ VIP Configuration Rules
| Requirement | Value / Note |
|---|---|
| Port Security Enabled | โ
true on VIP interfaces |
| VIP Attachment | โ Do not attach VIP to any instance |
| Allowed Address Pair | โ
Add VIP with /32 notation |
| Allowed Address Format | 10.220.131.30/32 |
| Security Group for VIP Interface | โ
Required if port_security = true |