PaloAltoNetworks · stefanskid · Dec 14, 2024 · Dec 15, 2024 · Dec 16, 2024 · Dec 16, 2024
@@ -0,0 +1,105 @@
+---
+short_title: Common CloudNGFW
+type: refarch
+show_in_hub: false
+swfw: cloudngfw
+---
+# Reference Architecture with Terraform: CNGFW in Azure, Virtual Network Design Model.
+
+Palo Alto Networks produces several [validated reference architecture design and deployment documentation guides](https://www.paloaltonetworks.com/resources/reference-architectures),which describe well-architected and tested deployments. 
+When deploying CNGFWs in a public cloud, the reference architecturesguide users toward the best security outcomes, 
+whilst reducing rollout time and avoiding common integration efforts.
+
+The Terraform code presented here will deploy Palo Alto Networks Cloud NGFW firewall in Azure based on a centralized virtual network design model with common CNGFW for all traffic; for a discussion of other options, please see the design guide from
+[the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures).
+
+## Detailed Architecture and Design
+
+### Centralized Virtual Network Design
+
+This code implements:
+
+- a *centralized virtual network design*, a hub-and-spoke topology with a Transit VNet containing CNGFW to inspect all inbound, outbound,
+  east-west, and enterprise traffic
+
+This design uses a Transit VNet. Application functions and resources are deployed across multiple VNets that are connected in
+a hub-and-spoke topology. The hub of the topology, or transit VNet, is the central point of connectivity for all inbound,
+outbound, east-west, and enterprise traffic. You integrate CNGFW with the transit VNet. Please see the [CNGFW design guide](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/securing-apps-with-cloud-ngfw-for-azure-design-guide).
+
+![Azure NGFW hub README diagrams - cngfw_vnet (1)](https://github.com/user-attachments/assets/12b99d93-f5fb-4960-bc8d-069616e2c599)
+
+This reference architecture consists of:
+
+- a VNET containing:
+  - 2 subnets dedicated to the CNGFW: private and public
+  - Route Tables and Network Security Groups
+- 1 CNGFW:
+  - with 2 network interfaces: public, private
+  - with 2 public IP addresses assigned to public interface
+  - Destination Network Address Translation rules
+- _(optional)_ test workloads with accompanying infrastructure:
+  - 2 Spoke VNETs with Route Tables and Network Security Groups
+  - 2 Spoke VMs serving as WordPress-based web servers
+  - 2 Azure Bastion managed jump hosts 
+
+**NOTE!**
+- In order to deploy the architecture without test workloads described above, empty the `test_infrastructure` map in
+  `example.tfvars` file.
+
+## Prerequisites
+
+A list of requirements might vary depending on the platform used to deploy the infrastructure but a minimum one includes:
+
+- _(in case of non cloud shell deployment)_ credentials and (optionally) tools required to authenticate against Azure Cloud,
+  see [AzureRM provider documentation for details](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure)
+- [supported](#requirements) version of [`Terraform`](<https://developer.hashicorp.com/terraform/downloads>)
+
+**NOTE!**
+- after the deployment the firewalls remain not configured and not licensed
+- to manage CNGFW via Panorama, an existing Panorama instance is required. Please see the [Panorama integration guide](https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/panorama-integration-overview).
+
+
+## Usage
+
+### Deployment Steps
+
+- checkout the code locally (if you haven't done so yet)
+- copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs
+  (take a closer look at the `TODO` markers)
+- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice
+- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value
+  in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged
+  option, we don't recommend putting the Subscription ID in clear text inside the code).
+- initialize the Terraform module:
+
+  ```bash
+  terraform init
+  ```
+
+- _(optional)_ plan you infrastructure to see what will be actually deployed:
+
+  ```bash
+  terraform plan
+  ```
+
+- deploy the infrastructure (you will have to confirm it with typing in `yes`):
+
+  ```bash
+  terraform apply
+  ```
+
+  The deployment takes couple of minutes.
+
+### Post deploy
+
+Firewall in this example is configured for management via Panorama.
+To manage the firewall, all configurations are handled through the Panorama instance.
+
+
+### Cleanup
+
+To remove the deployed infrastructure run:
+
+```sh
+terraform destroy
+```