search

PaloAltoNetworks / terraform-azurerm-vmseries-modules

Terraform Reusable Modules for VM-Series on Azure
https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/azurerm/latest
MIT License
49 stars 58 forks source link

[Bug Report] Common VMSeries Example has no internet connectivity #302

Closed FreddyAyala closed 11 months ago

FreddyAyala commented 1 year ago

Describe the bug

Greetings,

I have successfully deployed the Common VMSeries example, although I encountered an issue with internet connectivity. To resolve this, I added a specific NAT rule to the bootstrap_common.tmpl file:

`

... ethernet1/2 public private ${private_network_cidr} any any ethernet1/2

`

After deploying the VM, I deactivated DHCP for each interface and assigned static IPs to each interface, corresponding to their private and public IPs. Automating this final step is challenging due to cyclic referencing. These IP addresses are required before template creation, yet only become available post-deployment. So done manually for the instant.

After making this change the routing for both internet and intranet traffic seems to be working. For beginners in Palo Alto it was not evident how to fix the issue.

Thanks

Module Version

v1.0.4

Terraform version

Terraform v1.4.6 on windows_amd64

Expected behavior

Deployment Finished, internet routing working. Ping 8.8.8.8 works for redirected traffic to the NVA.

Current behavior

Ping to 8.8.8.8 doesn't work for traffic redirected to the NVA.

Anything else to add?

No response

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

FoSix commented 1 year ago

@FreddyAyala, Thank you for opening this Issue. There are couple things I need to address.

It seems reasonable to have at least the outbound traffic running after deploying the Firewalls. Inbound/east-west - this might be pretty custom, depending on you infrastructure architecture, but basic internet access should be quite simple. Therefore a simple NAT rule to enable internet access was added to the OBEW and COMMON templates (see #323) just like you suggested.

On the other hand, this repository is for infrastructure code. We do not intend to keep full firewall configurations here. The day0 config that is available is the bootstrap templates is not there to enable routing. At least it was not our intention. Virtual Router/static routes/NIC configuration is different per cloud: you do it differently in AWS than in Azure. The template was intended to get the infra running - it does what is necessary to configure the Firewall to respond to LB health checks and this way it should get you pass the cloud specifics, to the point where you can configure routing on your device.