From 513515321dfc8384815c200402520290ec1f7ed7 Mon Sep 17 00:00:00 2001
From: abudilovskiy-panw <113163070+abudilovskiy-panw@users.noreply.github.com>
Date: Thu, 25 Jan 2024 12:38:02 -0800
Subject: [PATCH] Cngfw azure terraform (#568)
---
docusaurus.config.js | 9 +-
products/cloudngfw/docs/getstarted_azure.mdx | 42 +++
products/cloudngfw/docs/home.mdx | 5 +-
products/cloudngfw/sidebars.js | 16 +-
.../docs/cloudngfw/azure/_assumptions.md | 7 -
.../cloudngfw/azure/reference/provider.md | 18 ++
.../docs/cloudngfw/azure/tutorials/intro.mdx | 255 ++++++++++++++++++
.../docs/cloudngfw/azure/tutorials/setup.md | 14 -
products/terraform/docs/cloudngfw/intro.mdx | 12 +-
products/terraform/sidebars.js | 19 ++
10 files changed, 369 insertions(+), 28 deletions(-)
create mode 100644 products/cloudngfw/docs/getstarted_azure.mdx
delete mode 100644 products/terraform/docs/cloudngfw/azure/_assumptions.md
create mode 100644 products/terraform/docs/cloudngfw/azure/reference/provider.md
create mode 100644 products/terraform/docs/cloudngfw/azure/tutorials/intro.mdx
delete mode 100644 products/terraform/docs/cloudngfw/azure/tutorials/setup.md
diff --git a/docusaurus.config.js b/docusaurus.config.js
index 39a691235..eef027ff6 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -242,8 +242,13 @@ const config = {
icon: "doc",
},
{
- label: "Terraform",
- to: "terraform/docs/cloudngfw/",
+ label: "Terraform - AWS",
+ to: "terraform/docs/cloudngfw",
+ icon: "doc",
+ },
+ {
+ label: "Terraform - Azure",
+ to: "terraform/docs/cloudngfw",
icon: "doc",
},
],
diff --git a/products/cloudngfw/docs/getstarted_azure.mdx b/products/cloudngfw/docs/getstarted_azure.mdx
new file mode 100644
index 000000000..bc2786f89
--- /dev/null
+++ b/products/cloudngfw/docs/getstarted_azure.mdx
@@ -0,0 +1,42 @@
+---
+id: getstarted_azure
+title: Cloud NGFW for Azure
+description: Cloud NGFW for Azure quick start
+hide_title: true
+hide_table_of_contents: true
+keywords:
+ - cloudngfw
+ - azure
+---
+
+# Cloud NGFW for Azure
+
+You can discover Cloud NGFW in the [Azure Marketplace](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/paloaltonetworks.pan_swfw_cloud_ngfw/selectionMode~/false/resourceGroupId//resourceGroupLocation//dontDiscardJourney~/false/selectedMenuId/favorites/launchingContext~/%7B%22galleryItemId%22%3A%22paloaltonetworks.pan_swfw_cloud_ngfwpanw-cloud-ngfw-payg%22%2C%22source%22%3A%5B%22GalleryFeaturedMenuItemPart%22%2C%22VirtualizedTileDetails%22%5D%2C%22menuItemId%22%3A%22home%22%2C%22subMenuItemId%22%3A%22Search%20results%22%2C%22telemetryId%22%3A%22c4fa50f9-c45a-42bf-a54e-9f2158d1cd7b%22%7D/searchTelemetryId/b022cb42-66e1-4631-87cb-f40466ab6d29) and consume it in your AWS Virtual Private Clouds (VPC). With Cloud NGFW, you can access the core NGFW capabilities such as App-ID, URL filtering based on URL categories and geolocations, SSL/TLS Decryption, etc.
+
+## Getting Started with Cloud NGFW for Azure
+
+- **Subscribe to the Cloud NGFW Service**—Begin by subscribing to the Cloud NGFW for Azure service through the Azure Marketplace. You can also search for "Cloud NGFW" in the Azure Services to locate Local Rulestack and Cloud NGFW resources. The service relies on your Entre ID and IAM permissions and generally requires a "Contributor" role on the subscription.
+- **Create Rulestacks**—Local Rulestack allow creating [rules and rulestacks](https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/native-policy-management)
+- **Create NGFWs**—Deploy NGFW firewall resources to protect your VNets and vWAN Hubs. While creating your NGFWs, associate the local rulestacks you created previously or associate a Panorama instance.
+
+You have two options to manage the security policy on Cloud NGFW for Azure.
+
+In the first (Azure Rulestack managed) option, you create rules based on matching criteria and leverage the Security Services straight from Azure Portal.
+
+Alternatively, in the second (Panorama-managed) option, you specify the Registration string generated in Panorama that allows the firewall to connect to Panorama and obtain its policy. In this option, Cloud NGFW requires IP-connectivity to the Panorama IP specified when generating the string.
+
+- **Update User-Defined Route**—After deploying your Cloud NGFW resource, you must direct Traffic to Cloud NGFW by updating your Route table and associating it with the spokes. Traffic is then directed to the NGFW firewall resource for inspection and enforcement.
+- **Configure Routing Intent and Policy**-After securing your vWAN hub using Palo Alto Networks SaaS, you must program the Routing Intent and Policy and set the next hop as Cloud NGFW NVA. This will force Internet and/or Private traffic via the Cloud NGFW service.
+
+## Managing Cloud NGFW for Azure
+
+You can deploy Cloud NGFW in your Azure environment in multiple ways:
+
+- **Azure Portal** is a graphical user interface that provides a native experience similar to any other Azure service.
+- **Azure CLI/PowerShell/SDK/Terraform** can deploy Cloud NGFW resources programmatically in an Infrastructure-as-Code way.
+
+For a description of the Cloud NGFW for Azure APIs, see the [API Reference](/cloudngfw/azure/api).
+
+To begin using Terraform to manage your Cloud NGFW for Azure, see the [Getting Started guide](/terraform/docs/cloudngfw/azure/tutorials/intro/).
+
+See [Cloud NGFW for Azure Documentation](https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/getting-started-with-cngfw-for-azure) for more information.
diff --git a/products/cloudngfw/docs/home.mdx b/products/cloudngfw/docs/home.mdx
index 9ebe79679..21f992bcb 100644
--- a/products/cloudngfw/docs/home.mdx
+++ b/products/cloudngfw/docs/home.mdx
@@ -2,16 +2,17 @@
id: home
title: Cloud NGFW Overview
slug: /cloudngfw/docs
-description: Cloud NGFW API Overview
+description: Cloud NGFW Overview
hide_title: true
hide_table_of_contents: true
keywords:
- cloudngfw
- aws
+ - azure
---
# Cloud NGFW Overview
-Cloud NGFW for AWS is Palo Alto Networks ML-powered Next-Generation Firewall (NGFW) capability delivered as a fully managed cloud-native service by Palo Alto Networks on the Amazon Web Services (AWS) platform.
+Cloud NGFW is Palo Alto Networks ML-powered Next-Generation Firewall (NGFW) capability delivered as a fully managed cloud-native service by Palo Alto Networks on the Amazon Web Services (AWS) and Azure platforms.
This deployment model combines the power of the Palo Alto NGFW with the ease of use. The Cloud NGFW service provides advanced application visibility and access control using Palo Alto Networks’ App-ID and URL filtering technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures.
diff --git a/products/cloudngfw/sidebars.js b/products/cloudngfw/sidebars.js
index 718a798d7..61d99fc88 100644
--- a/products/cloudngfw/sidebars.js
+++ b/products/cloudngfw/sidebars.js
@@ -13,6 +13,10 @@ module.exports = {
type: "doc",
id: "cloudngfw/docs/getstarted_aws",
},
+ {
+ type: "doc",
+ id: "cloudngfw/docs/getstarted_azure",
+ },
],
},
{
@@ -27,9 +31,19 @@ module.exports = {
},
{
type: "link",
- label: "Terraform for Cloud NGFW",
+ label: "Cloud NGFW for Azure",
+ href: "https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure",
+ },
+ {
+ type: "link",
+ label: "Terraform for Cloud NGFW for AWS",
href: "/terraform/docs/cloudngfw/",
},
+ {
+ type: "link",
+ label: "Terraform for Cloud NGFW for Azure",
+ href: "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/palo_alto_local_rulestack",
+ },
],
},
],
diff --git a/products/terraform/docs/cloudngfw/azure/_assumptions.md b/products/terraform/docs/cloudngfw/azure/_assumptions.md
deleted file mode 100644
index 4840baa40..000000000
--- a/products/terraform/docs/cloudngfw/azure/_assumptions.md
+++ /dev/null
@@ -1,7 +0,0 @@
-## Assumptions
-
-This tutorial/guide assumes:
-
-- a working installation of Terraform ([see example instructions here](./tutorials/setup.md))
-- working connectivity to Azure
-- administrative credentials capable of performing the relevant operations on Azure
diff --git a/products/terraform/docs/cloudngfw/azure/reference/provider.md b/products/terraform/docs/cloudngfw/azure/reference/provider.md
new file mode 100644
index 000000000..233eaec6d
--- /dev/null
+++ b/products/terraform/docs/cloudngfw/azure/reference/provider.md
@@ -0,0 +1,18 @@
+---
+id: provider
+title: Terraform for Azure Cloud NGFW
+sidebar_label: Provider Reference
+hide_title: true
+description: Provider Reference
+keywords:
+ - cloudngfw
+ - api
+ - firewall
+ - configuration
+ - terraform
+ - azure
+---
+
+# Provider Reference
+
+The reference guide for the Azure Cloud NGFW Terraform Provider can be found [here](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/palo_alto_local_rulestack). This provides the listing of resources with their parameters, valid inputs and types, and examples of correct usage.
diff --git a/products/terraform/docs/cloudngfw/azure/tutorials/intro.mdx b/products/terraform/docs/cloudngfw/azure/tutorials/intro.mdx
new file mode 100644
index 000000000..5ff57d139
--- /dev/null
+++ b/products/terraform/docs/cloudngfw/azure/tutorials/intro.mdx
@@ -0,0 +1,255 @@
+---
+id: intro
+title: Securing vWAN
+sidebar_label: Securing vWAN
+hide_title: true
+description: Securing vWAN
+keywords:
+ - pan-os
+ - panos
+ - azure
+ - api
+ - firewall
+ - configuration
+ - terraform
+ - cloudngfw
+---
+
+
+# Deploying Cloud NGFW for Azure using Terraform
+
+
+## Objective
+
+[Cloud NGFW for Azure](https://www.paloaltonetworks.com/network-security/cloud-ngfw-for-azure) by Palo Alto Networks is natively integrated into the Azure Resource Manager framework and does not require the use of any vendor-specific APIs for deployment.
+
+In this guide, you will learn how to deploy and configure the Cloud NGFW resource using Terraform. Since Cloud NGFW is directly exposed in the Azure Portal and Azure APIs as a native service, it only requires the [Azure Terraform Provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) to deploy and configure the resource.
+
+## Prerequisites
+
+ - The latest version of azurerm TF provider (installed automatically upon running Terraform init)
+ - Panorama 10.2.4-h2+ with the latest Azure Plugin installed
+ - Azure subscription with at least a Contributor role assigned to the user
+
+## Setup
+
+For this deployment, we will create 2x Cloud NGFW resources to secure an Azure vWAN. One Cloud NGFW will be managed by Azure Rulestack, while the other will be managed by Panorama.
+
+The following resources will be created:
+
+- Resource group
+- Public IP address x2
+- Virtual WAN
+- Local Rulestack
+- Cloud NGFW x2
+- Routing Intent x2
+
+First, in a separate directory create base Terraform files: `main.tf``, `variables.tf`` and `terraform.tfvars`.
+
+
+
+```hcl title="terraform.tfvars"
+region1 = "eastus"
+region2 = "westeurope"
+rg = "terraform-rg"
+panorama-string = "Panorama registration string"
+```
+
+
+```hcl title="variables.tf"
+variable "rg" {
+ type = string
+}
+
+variable "region1" {
+ type = string
+}
+
+variable "region2" {
+ type = string
+}
+
+variable "panorama-string" {
+ type = string
+}
+```
+
+The features block is mandatory to run any azurerm deployment. If you’d like to stick with the defaults, leave it empty
+
+
+```hcl title="main.tf"
+provider "azurerm" {
+ features {}
+}
+```
+1. Resource Group
+
+Query an existing Resource Group:
+```
+data "azurerm_resource_group" "rg" {
+ name = var.rg
+}
+```
+Or create a new one:
+
+```
+resource "azurerm_resource_group" "rg" {
+ name = "terraform-rg"
+ location = "East US"
+}
+```
+2. Public IP address
+
+Use the Public IP address resource to create at least one IP address that will be associated with each Cloud NGFW
+```
+resource "azurerm_public_ip" "cngfw-pip-eastus" {
+ name = "cngfw-pip-eastus"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region1
+ allocation_method = "Static"
+ sku = "Standard"
+}
+
+resource "azurerm_public_ip" "cngfw-pip-westeu" {
+ name = "cngfw-pip-westeu"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region2
+ allocation_method = "Static"
+ sku = "Standard"
+}
+```
+3. Virtual WAN
+
+Use the resources and data sources to interact with the vWAN-specific objects. For example,
+```
+resource "azurerm_virtual_wan" "vwan" {
+ name = "terraform-vwan"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region1
+}
+
+resource "azurerm_virtual_hub" "vhub-eastus" {
+ name = "terraform-vhub-eastus"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region1
+ virtual_wan_id = azurerm_virtual_wan.vwan.id
+ address_prefix = "10.0.0.0/23"
+}
+resource "azurerm_virtual_hub" "vhub-westeu" {
+ name = "terraform-vhub-westeu"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region2
+ virtual_wan_id = azurerm_virtual_wan.vwan.id
+ address_prefix = "10.0.0.0/23"
+}
+```
+Cloud NGFW resource requires an NVA object to be created in the target virtual hub:
+ ```
+resource "azurerm_palo_alto_virtual_network_appliance" "nva-eastus" {
+ name = "terraform-nva-eastus"
+ virtual_hub_id = azurerm_virtual_hub.vhub-eastus.id
+}
+
+resource "azurerm_palo_alto_virtual_network_appliance" "nva-westeu" {
+ name = "terraform-nva-westeu"
+ virtual_hub_id = azurerm_virtual_hub.vhub-westeu.id
+}
+```
+4. Local Rulestack
+
+```
+resource "azurerm_palo_alto_local_rulestack" "lrs-eastus" {
+ name = "terraform-lrs-eastus"
+ resource_group_name = azurerm_resource_group.rg.name
+ location = var.region1
+ anti_spyware_profile = "BestPractice"
+ anti_virus_profile = "BestPractice"
+ file_blocking_profile = "BestPractice"
+ vulnerability_profile = "BestPractice"
+ url_filtering_profile = "BestPractice"
+}
+```
+5. Cloud NGFW
+
+First, create a Cloud NGFW resource managed by Azure Rulestack
+
+```
+resource "azurerm_palo_alto_next_generation_firewall_virtual_hub_local_rulestack" "cngfw-eastus" {
+ name = "terraform-cngfw-eastus"
+ resource_group_name = azurerm_resource_group.rg.name
+ rulestack_id = azurerm_palo_alto_local_rulestack.lrs-eastus.id
+
+ network_profile {
+ public_ip_address_ids = [azurerm_public_ip.cngfw-pip-eastus.id]
+ virtual_hub_id = azurerm_virtual_hub.vhub-eastus.id
+ network_virtual_appliance_id = azurerm_palo_alto_virtual_network_appliance.nva-eastus.id
+ }
+}
+```
+Next, create a Cloud NGFW managed by Panorama. You are required to have a Panorama instance with the Azure plugin installed to generate the Panorama Registration String.
+
+```
+resource "azurerm_palo_alto_next_generation_firewall_virtual_hub_panorama" "cngfw-westeu" {
+ name = "terraform-cngfw-westeu"
+ resource_group_name = data.azurerm_resource_group.rg.name
+ location = var.region2
+
+ network_profile {
+ public_ip_address_ids = [azurerm_public_ip.cngfw-pip-westeu.id]
+ virtual_hub_id = azurerm_virtual_hub.vhub-westeu.id
+ network_virtual_appliance_id = azurerm_palo_alto_virtual_network_appliance.nva-westeu.id
+ }
+
+ panorama_base64_config = var.panorama-string
+}
+```
+
+6. Routing Intent
+
+The last step is to steer the traffic through the Cloud NGFW resources by setting the Routing Intent on both hubs.
+
+```
+resource "azurerm_virtual_hub_routing_intent" "routing-intent-eastus" {
+ name = "terraform-routing-intent-eastus"
+ virtual_hub_id = azurerm_virtual_hub.vhub-eastus.id
+
+ routing_policy {
+ name = "InternetTrafficPolicy"
+ destinations = ["Internet"]
+ next_hop = azurerm_palo_alto_virtual_network_appliance.nva-eastus.id
+ }
+
+ routing_policy {
+ name = "PrivateTrafficPolicy"
+ destinations = ["PrivateTraffic"]
+ next_hop = azurerm_palo_alto_virtual_network_appliance.nva-eastus.id
+ }
+ depends_on = [azurerm_palo_alto_next_generation_firewall_virtual_hub_local_rulestack.cngfw-eastus]
+}
+
+resource "azurerm_virtual_hub_routing_intent" "routing-intent-westeu" {
+ name = "terraform-routing-intent-westeu"
+ virtual_hub_id = azurerm_virtual_hub.vhub-westeu.id
+
+ routing_policy {
+ name = "InternetTrafficPolicy"
+ destinations = ["Internet"]
+ next_hop = azurerm_palo_alto_virtual_network_appliance.nva-westeu.id
+ }
+
+ routing_policy {
+ name = "PrivateTrafficPolicy"
+ destinations = ["PrivateTraffic"]
+ next_hop = azurerm_palo_alto_virtual_network_appliance.nva-westeu.id
+ }
+ depends_on = [azurerm_palo_alto_next_generation_firewall_virtual_hub_panorama.cngfw-westeu]
+}
+```
+
+To summarize, we were able to create and provision an end-to-end deployment with Virtual WAN hubs secured with the Cloud NGFW using a single Terraform provider.
+
+The content in this tutorial builds on the [introduction published in Palo Alto Networks' LiveCommunity Blog](https://live.paloaltonetworks.com/t5/community-blogs/deploying-cloud-ngfw-for-azure-using-terraform/ba-p/566200).
+
+
+
+
diff --git a/products/terraform/docs/cloudngfw/azure/tutorials/setup.md b/products/terraform/docs/cloudngfw/azure/tutorials/setup.md
deleted file mode 100644
index a13abb86f..000000000
--- a/products/terraform/docs/cloudngfw/azure/tutorials/setup.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-id: tutorial
-title: Terraform for Azure Cloud NGFW
-sidebar_label: Tutorial
-hide_title: true
-description: Tutorial
-keywords:
- - cloudngfw
- - api
- - firewall
- - configuration
- - terraform
- - azure
----
diff --git a/products/terraform/docs/cloudngfw/intro.mdx b/products/terraform/docs/cloudngfw/intro.mdx
index a6c8aba0d..b9f2e843c 100644
--- a/products/terraform/docs/cloudngfw/intro.mdx
+++ b/products/terraform/docs/cloudngfw/intro.mdx
@@ -17,7 +17,11 @@ import Support from "/products/shared/_community-support-statement.md";
# Terraform for Cloud NGFW
-Cloud NGFW can be configured with [Terraform](https://www.terraform.io), allowing configuration to be defined and managed as code, facilitating automated operations.
+Cloud NGFW can be deployed and configured with [Terraform](https://www.terraform.io), allowing configuration to be defined and managed as code, facilitating automated operations.
+
+- **Cloud NGFW for AWS is using a dedicated Terraform provider**
+
+- **Cloud NGFW for Azure is leveraging the existing Azurerm provider**