/Azure-Transit-VNet

Azure security with VM-Series in a hub-and-spoke architecture

Apache License 2.0Apache-2.0

alt_text

Azure Transit VNet with the VM-Series

The Azure Transit VNet with the VM-Series deploys a hub and spoke architecture to centralize commonly used services such as security and secure connectivity. All traffic to and from the Spokes will “transit” the Hub VNet and will be protected by the VM-Series next generation firewall. To get started, the Hub VNet must be deployed first with the Spoke VNets being deployed subsequently. Once the Spoke is deployed, the VNets are dynamically peered to allow cross VNet communication. For more information on deployment please see the Deployment Guide.

Please note that the Azure Standard Load Balancer is still in preview and you will need to sign up with Azure to access this resource before launching the template. For further information on this see the link below. Azure Standard Load Balancer(Preview)

Hub VNet

The Hub VNet is deployed exclusively to handle outbound traffic that originates from within the Hub or Spoke VNet. This outbound work flow not only segments traffic that originates from outside of the VNet, but it also ensures that only whitelisted external requests are allowed by leveraging VM-Series security policies. By providing a single exit point for traffic originating within your VNets you can ensure that all outbound traffic is secured to the standards required by your organization.

This topology consists of

  • 2 VM-Series Firewalls
  • 1 Standard Outbound Load Balancer

alt_text

Spoke VNet

Using the Spoke VNet template, you can deploy as many Spokes as needed to host internal only, or public facing workloads. Return traffic from inbound web access requests will traverse the same path it was received, and traffic originating from the Hub and Spoke networks will exit the hub VNet exclusively.

This topology consists of

  • 1 Application Gateway functioning as an external load balancer listening on port 80.
  • Spoke subnets 192.168.0.0/21, 192.168.8.0/21 and so on.
  • 2 VM-Series Firewalls [Optional]
  • 1 Internal Loadbalancer
  • 2 Linux Web servers
  • 1 UDR sending all default route traffic to the Hub vnet Standard Load Balancer.

With VM-Series Firewall

Spoke 1

Spoke 2

alt_text

Without VM-Series Firewall

Deployment guide

The deployment guide can be found here

Support Policy

The code and templates in the repo are released under an as-is, best effort, support policy. These scripts should be seen as community supported and Palo Alto Networks will contribute our expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or work posted in our GitHub repository (at https://github.com/PaloAltoNetworks) or sites other than our official Downloads page on https://support.paloaltonetworks.com are provided under the best effort policy.