Pre-Existing Network Configuration

[john-louden]

Is anyone working on adapting this template to use a pre-existing VNET? Or know of one. Prefer to know prior to adapting this one.

[mikecushing]

I was attempting to use the vmseries-avset template to deploy in to an existing VNET but it kept trying to delete all of the subnets that weren't listed in the template. I ended up deleting the section of the template where it referenced the deployment of the VNET.

{ "$schema": "https://schema.management.azure.com/schemas/2015-01-01-preview/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "String", "metadata": { "description": "region of resources" } }, "newStorageAccount": { "type": "String", "metadata": { "description": "Globally unique lowercase name of your storage account" } }, "storageAccountType": { "defaultValue": "Standard_LRS", "type": "String", "metadata": { "description": "The type of the Storage Account created" } }, "storageAccountNewOrExisting": { "defaultValue": "new", "allowedValues": [ "new", "existing" ], "type": "String", "metadata": { "Description": "Indicates whether the Storage Account is new or existing" } }, "existingStorageAccountRG": { "defaultValue": "", "type": "String", "metadata": { "description": "Storage Resource Group of the Existing VM." } }, "dnsNameForPublicIP": { "type": "String", "metadata": { "description": "Globally unique DNS name to access management interface of VM-Series firewall" } }, "vmName": { "type": "String", "metadata": { "description": "Name of VM-Series VM in the Azure portal" } }, "adminUserName": { "type": "String", "metadata": { "description": "Username for VM-Series administrator" } }, "adminPassword": { "type": "SecureString", "metadata": { "description": "Password for VM-Series administrator" } }, "authenticationType": { "defaultValue": "password", "allowedValues": [ "sshPublicKey", "password" ], "type": "String", "metadata": { "descritpion": "Type of authentication " } }, "sshKey": { "defaultValue": "", "type": "String", "metadata": { "description": "SSH RSA public key file as a string." } }, "imageVersion": { "defaultValue": "latest", "allowedValues": [ "7.1.1", "8.0.0", "8.1.0" ], "type": "String", "metadata": { "description": "PAN-OS version." } }, "imageSku": { "defaultValue": "byol", "allowedValues": [ "byol", "bundle1", "bundle2" ], "type": "String", "metadata": { "description": "VM-Series model: BYOL or hourly pay-as-you-go (PAYG): Bundle 1 or Bundle 2" } }, "vmSize": { "allowedValues": [ "Standard_D3", "Standard_D3_v2", "Standard_D4", "Standard_D4_v2", "Standard_D5", "Standard_D5_v2", "Standard_A4" ], "type": "String", "metadata": { "description": "Azure VM size for VM-Series" } }, "availabilitySetName": { "defaultValue": "VMSeriesFwAvSet", "type": "String", "metadata": { "description": "Azure Availability Set for VM-Series firewalls" } }, "srcIPInboundNSG": { "defaultValue": "0.0.0.0/0", "type": "String", "metadata": { "description": "Your source public IP address. Added to the restrict inbound DefaultNSG on eth0 (MGMT)" } }, "baseUrl": { "defaultValue": "https://raw.githubusercontent.com/PaloAltoNetworks/azure/master/vmseries-avset", "type": "String", "metadata": { "artifactsBaseUrl": "" } }, "virtualNetworkName": { "defaultValue": "panVnet", "type": "String", "metadata": { "description": "Name of the virtual network that the consumer wants to use" } }, "virtualNetworkAddressPrefix": { "defaultValue": "192.168.0.0/16", "type": "String", "metadata": { "description": "Virtual network address CIDR" } }, "subnet0Name": { "defaultValue": "Mgmt", "type": "String", "metadata": { "description": "Subnet for the Mgmt" } }, "subnet1Name": { "defaultValue": "Untrust", "type": "String", "metadata": { "description": "Subnet for the Untrust" } }, "subnet2Name": { "defaultValue": "Trust", "type": "String", "metadata": { "description": "Subnet for the Trust" } }, "subnet0Prefix": { "defaultValue": "192.168.0.0/24", "type": "String", "metadata": { "description": "Mgmt subnet CIDR" } }, "subnet1Prefix": { "defaultValue": "192.168.1.0/24", "type": "String", "metadata": { "description": "Untrust subnet CIDR" } }, "subnet2Prefix": { "defaultValue": "192.168.2.0/24", "type": "String", "metadata": { "description": "Trust subnet CIDR" } }, "subnet0StartAddress": { "defaultValue": "192.168.0.4", "type": "String", "metadata": { "description": "Mgmt subnet start address" } }, "subnet1StartAddress": { "defaultValue": "192.168.1.4", "type": "String", "metadata": { "description": "Untrust subnet start address" } }, "subnet2StartAddress": { "defaultValue": "192.168.2.4", "type": "String", "metadata": { "description": "Trust subnet start address" } } }, "variables": { "apiVersion": "2015-06-15", "imagePublisher": "paloaltonetworks", "imageOffer": "vmseries1", "fwpublicIPName": "[concat(parameters('vmName'), '-fwMgmtPublicIP')]", "nicName": "[concat(parameters('vmName'), '-eth')]", "FWPrivateIPAddressUntrust": "[parameters('subnet1StartAddress')]", "FWPrivateIPAddressTrust": "[parameters('subnet2StartAddress')]", "publicIPAddressType": "Dynamic", "vnetID": "[resourceId('Microsoft.Network/virtualNetworks',parameters('virtualNetworkName'))]", "nsgname-mgmt": "[concat(parameters('vmName'), '-DefaultNSG')]", "subnet0Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet0Name'))]", "subnet1Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet1Name'))]", "subnet2Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet2Name'))]", "storageAccountSetupURL": "[concat(parameters('baseUrl'),'/storageAccount-',parameters('storageAccountNewOrExisting'),'.json')]", "vmTemplateUrl": "[concat(parameters('baseUrl'), '/virtual-machine-', parameters('authenticationType'),'.json')]" }, "resources": [ { "type": "Microsoft.Resources/deployments", "name": "storageAcountSetup1", "apiVersion": "2015-01-01", "properties": { "mode": "Incremental", "templateLink": { "uri": "[variables('storageAccountSetupURL')]", "contentVersion": "1.0.0.0" }, "parameters": { "location": { "value": "[parameters('location')]" }, "storageAccountType": { "value": "[parameters('storageAccountType')]" }, "newStorageAccount": { "value": "[parameters('newStorageAccount')]" }, "storageAccountExistingRG": { "value": "[parameters('existingStorageAccountRG')]" } } } }, { "type": "Microsoft.Compute/availabilitySets", "name": "[parameters('availabilitySetName')]", "apiVersion": "2015-05-01-preview", "location": "[resourceGroup().location]" }, { "type": "Microsoft.Network/publicIPAddresses", "name": "[variables('fwpublicIPName')]", "apiVersion": "[variables('apiVersion')]", "location": "[parameters('location')]", "properties": { "publicIPAllocationMethod": "[variables('publicIPAddressType')]", "dnsSettings": { "domainNameLabel": "[parameters('dnsNameForPublicIP')]" } } }, { "type": "Microsoft.Network/networkSecurityGroups", "name": "[concat(parameters('vmName'), '-DefaultNSG')]", "apiVersion": "[variables('apiVersion')]", "location": "[parameters('location')]", "properties": { "securityRules": [ { "name": "Allow-Outside-From-IP", "properties": { "description": "Rule", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "[parameters('srcIPInboundNSG')]", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" } }, { "name": "Allow-Intra", "properties": { "description": "Allow intra network traffic", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "[concat(parameters('virtualNetworkAddressPrefix'))]", "destinationAddressPrefix": "*", "access": "Allow", "priority": 101, "direction": "Inbound" } }, { "name": "Default-Deny", "properties": { "description": "Default-Deny if we don't match Allow rule", "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 200, "direction": "Inbound" } } ] } }, { "type": "Microsoft.Network/networkInterfaces", "name": "[concat(variables('nicName'), '0')]", "apiVersion": "[variables('apiVersion')]", "location": "[parameters('location')]", "tags": { "displayName": "[concat('NetworkInterfaces', '0')]" }, "properties": { "ipConfigurations": [ { "name": "[concat('ipconfig', '0')]", "properties": { "privateIPAllocationMethod": "Dynamic", "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('fwpublicIPName'))]" }, "subnet": { "id": "[variables(concat('subnet','0','Ref'))]" } } } ] }, "dependsOn": [ "[concat('Microsoft.Network/publicIPAddresses/', variables('fwpublicIPName'))]" ] }, { "type": "Microsoft.Network/networkInterfaces", "name": "[concat(variables('nicName'), '1')]", "apiVersion": "[variables('apiVersion')]", "location": "[parameters('location')]", "tags": { "displayName": "[concat('NetworkInterfaces', '1')]" }, "properties": { "enableIPForwarding": true, "ipConfigurations": [ { "name": "[concat('ipconfig', '1')]", "properties": { "privateIPAllocationMethod": "Static", "privateIPAddress": "[variables('FWPrivateIPAddressUntrust')]", "subnet": { "id": "[variables(concat('subnet','1','Ref'))]" } } } ] } }, { "type": "Microsoft.Network/networkInterfaces", "name": "[concat(variables('nicName'), '2')]", "apiVersion": "[variables('apiVersion')]", "location": "[parameters('location')]", "tags": { "displayName": "[concat('NetworkInterfaces', '2')]" }, "properties": { "enableIPForwarding": true, "ipConfigurations": [ { "name": "[concat('ipconfig', '2')]", "properties": { "privateIPAllocationMethod": "Static", "privateIPAddress": "[variables('FWPrivateIPAddressTrust')]", "subnet": { "id": "[variables(concat('subnet','2','Ref'))]" } } } ] } }, { "type": "Microsoft.Resources/deployments", "name": "PAN-VM", "apiVersion": "2015-01-01", "properties": { "mode": "Incremental", "templateLink": { "uri": "[variables('vmTemplateUrl')]", "contentVersion": "1.0.0.0" }, "parameters": { "location": { "value": "[parameters('location')]" }, "vmName": { "value": "[parameters('vmName')]" }, "imageSku": { "value": "[parameters('imageSku')]" }, "imageOffer": { "value": "[variables('imageOffer')]" }, "imageVersion": { "value": "[parameters('imageVersion')]" }, "imagePublisher": { "value": "[variables('imagePublisher')]" }, "nicName": { "value": "[variables('nicName')]" }, "vmSize": { "value": "[parameters('vmSize')]" }, "adminUserName": { "value": "[parameters('adminUserName')]" }, "adminPassword": { "value": "[parameters('adminPassword')]" }, "newStorageAccount": { "value": "[parameters('newStorageAccount')]" }, "sshKey": { "value": "[parameters('sshKey')]" }, "availabilitySetName": { "value": "[parameters('availabilitySetName')]" } } }, "dependsOn": [ "storageAcountSetup1", "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '0')]", "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '1')]", "[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '2')]" ] } ] }

[desidownunder]

Is anyone working on adapting this template to use a pre-existing VNET? Or know of one. Prefer to know prior to adapting this one.

Hi John,

I was able to customise and deploy this template in an existing network. Basically, it required deleting the resource deployment of a new VNET and also some conditional statements that depend on it.

I'm new to GitHub so not sure how to share here but it's available in my repositories under same directory:

https://github.com/desidownunder/azure/tree/master/vmseries-avset

Also can be directly deployed from there (don't do it on production though!).

[farshadrahaei]

I checked other provided scripts neither was working so I had to create one by myself. You can use my script to install the Palo Alto firewall in existing Virtual Network(V-NET). I already tested the script and it works fine, let me know if you had any issue: https://github.com/farshadrahaei/PaloAltoNetworks

Farshad

[catchthekid]

none of the above templates workes when creating the interface adapters is there any solution to this?