40 lines
1.6 KiB
Markdown
40 lines
1.6 KiB
Markdown
# Palo Alto HA Setup with Terraform (Stackit Cloud)
|
|
|
|
This Terraform configuration sets up two **Palo Alto Firewalls** in a **High Availability (HA)** setup on the **Stackit Cloud IaaS** layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.
|
|
|
|
---
|
|
|
|
## ๐ ๏ธ Key Concepts
|
|
|
|
### ๐ High Availability (HA)
|
|
Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.
|
|
|
|
### ๐งท Port Security & VIPs
|
|
- `port_security` **must be enabled** on interfaces where the **VIP** is active.
|
|
- **Do not attach** the VIP IP to any server or instance!
|
|
- VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces.
|
|
|
|
---
|
|
|
|
## โ
Requirements
|
|
|
|
- Terraform โฅ 1.3.x
|
|
- Stackit Terraform Provider
|
|
- Palo Alto VM-Series Images (pre-imported into the Stackit project)
|
|
|
|
---
|
|
|
|
## ๐ VIP Configuration Rules
|
|
|
|
| Requirement | Value / Note |
|
|
|------------------------------------|----------------------------------------------------|
|
|
| Port Security Enabled | โ
`true` on VIP interfaces |
|
|
| VIP Attachment | โ Do **not** attach VIP to any instance |
|
|
| Allowed Address Pair | โ
Add VIP with `/32` notation |
|
|
| Allowed Address Format | `10.220.131.30/32` |
|
|
| Security Group for VIP Interface | โ
Required if `port_security = true` |
|
|
|
|
---
|
|
|
|
|
|
|