Template for deploying Palo Alto VM Series FW with Azure Gateway Load Balancer

Azure Gateway Load Balancer


  • Minimum version of PAN-OS 10.1.4 and vm-series plugin 2.1.4

Bootstrap Information

Steps to deploy the template

Security Stack Template Parameters

Configure the template Parameters for your Azure GWLB deployment

  • FirewallDnsName

    Unique DNS Name for the Public IP used to access PAN Firewall VM.

  • vmName

    Name for the VM-Series Firewall

  • adminUsername

    The username for the account on the VM-Series firewall

  • adminPassword

    Password for the account for the VM-Series firewall. Make this parameter Optional if you choose to use any other Authentication Type

  • bootstrapStorageAccount

    The name of the storage account created in the Prerequisite step

  • bootstrapStorageAccountAccessKey

    The value of the storage account access key created in the Prerequisite step

  • bootstrapFileShare

    The name of the storage account file share created in the Prerequisite step

  • imageVersion

    The Pan-OS image version. We support from 10.1.4 Add the required version in the allowed values to use Pan-OS version of your preference

  • imageSKU

    Licensing model - byol, bundle1, bundle2

  • vmSize

    Azure VMsize for the Firewall. Choose from the list allowed values.

  • AddressPrefix

    The CIDR range for the Security network ex. ""

  • ManagementSubnet

    Subnet Prefix for Security management subnet ex ""

  • DataSubnet

    Subnet Prefix for Security data subnet ex ""


init-cfg.txt in the bootstrap folder should include this:

To deploy the solution with default ports


The port and VNI parameters when not specified will use the default values: Internal Port 2000 Internal VNI 800, External Port 2001 and External VNI 801. These parameters must match the GWLB backend pool tunnel interfaces properties to properly establish the service chain. If you use the custom ports, make sure to edit the security-stack.json with the custom ports in the below block.

To deploy the solution with custom ports edit the init-cfg.txt to


"backendAddressPools": [
            "name": "BackendPool1",
            "properties": {
              "tunnelInterfaces": [
                  "port": 2000,        # Change the internal port here to 3000
                  "Identifier": 800,   # Change the identifier to 900
                  "Protocol": "VxLan",
                  "Type": "Internal"
                  "port": 2001,       # Change the external port here to 900
                  "Identifier": 801,  # Change the identifier to 901
                  "Protocol": "VxLan",
                  "Type": "External"

Application Stack Template Parameters

  • securityResourceGroup

    Name of the Security stack resource group deployed with security-stack.json template.

  • gwLBName

    Name of the Gateway Loadbalancer deployed with security-stack.json template.

  • gwLBFrontendIPName

    Name of your Gateway Loadbalancer Frontend Private IP deployed with security-stack.json template.

  • VNETPrefix

    The CIDR range for the Application network ex. ""

  • SubnetPrefix

    Subnet Prefix for Application management subnet ex ""

Part 1: Deploy Security Stack Resources

The ARM template deploys the Security stack with Gateway Loadbalancer, VM-Series firewall with GWLB bootstrap configuration , VM-Series firewall added in the backend pool of the Gateway Loadbalancer.

Part 2: Deploy Application Stack Resources

The ARM template deploys the Application stack with the Loadbalancer configured with the default Load Balancer rules, Linux VM with simpleHTTP service.

You can use the application-stack.json to deploy multiple spokes / application stacks.

Traffic Test

To test the ingress traffic, issue the below command from a terminal

wget http://<FrontendIPofPublicLB:8081>


Use a browser, type in http://<FrontendIPofPublicLB:8081>

You can see the secured ingress traffic sessions in the Firewall.

Developer Sites


Copyright © 2023 Palo Alto Networks, Inc. All rights reserved.