: Deploy VM-Series on Azure Stack Edge
Focus
Focus

Deploy VM-Series on Azure Stack Edge

Table of Contents

Deploy VM-Series on Azure Stack Edge

Secure 5G traffic within Azure Stack Edge using VM-Series firewalls.
VM-Series can now secure 5G traffic within Microsoft Azure Stack Edge. The Microsoft Azure Stack Edge is a purpose-built hardware-as-a-service that allows you to run workloads while gaining actionable insights at the edge of the network, where data originates. Azure Stack Edge will host Azure 5G Core network functions that will help the enterprise edge applications connect either to other break-out applications or to the internet. With Palo Alto Networks best in class 5G Security, Azure customers can now protect their 5G connected enterprise applications using VM-Series firewalls.
See Azure Stack Edge for more information on the Azure Stack Edge box. For the VM-Series offer on Azure Stack Edge, see VM-Series Next-Gen Firewall Edge Azure Application.

Security Challenges in 5G and Edge Deployments

5G and edge-deployed networks have transformed enterprises and industries. These deployments use next generation mobile technology, which guarantees reliable networks, however they lack security against a complex and evolving threat landscapes.
These security challenges include:
  • Greater number of connected and BYOD devices increases attack vectors.
  • Limited control and visibility into user traffic.
  • Internet-based attacks, or from compromised management systems.
  • Open source and exposed APIs.
  • Resource theft.
  • Network configuration attacks.
  • DoS (Denial of Services) and spoofing attacks on 5G protocols.
  • Limited visibility into subscribers and equipment.
  • Untrusted applications and services.

Benefits of VM-Series Integration with Azure Stack Edge

5G-Native Security with VM-Series
VM-Series deployments with Azure Stack Edge provide enterprise grade security paradigms to 5G deployments. These deployments use the following security features:
  • Realtime correlation of threats to 5G end-user application traffic. Provides security controls and enforcement to inspect tunneled end-user traffic to enterprise applications.
  • Containerized 5G security. Provides for secure, highly distributed cloud-native 5G networks.
  • 5G MEC security. Enables industry digitization with MEC (multi-access edge computing ), complementing 5G access networks.
The VM-Series deployment on Azure Stack Edge for enterprise 5G security protects edge applications within the following areas:
  • RAN security. SCTP stateful inspection to protect Azure 5GC from the RAN.
  • GTP-U Security. Tunnel content inspection to protect the payload end-user, edge application traffic within the GTP-U tunnel.
  • Internet Perimeter. Secure Inbound Outbound traffic into the remote edge, break-out application, and internet traffic at the perimeter.
The image below illustrates how VM-Series firewalls are used in Azure Stack Edge deployments:

Deploy the VM-Series Firewall on Azure Stack Edge

You can deploy the VM-Series firewall on Azure Stack Edge to secure inter-subnet traffic between applications in a multitier architecture and outbound traffic from servers within your Azure Stack Edge deployment.
The NAT appliance is required because in Azure Stack deployments you can't assign a public IP address to a nonprimary interface or a virtual machine, such as the VM-Series firewall. This NAT appliance receives inbound traffic and forwards it to the VM-Series firewall.
To deploy the VM-Series firewall on Azure Stack Edge:
  1. Configure a virtual switch for the management port. If Azure Private 5G Core is being coinstalled, the virtual switch for the management port will be configured as part of that installation. If you're not installing Azure Private 5G Core, use the instructions provided below.
    1. Add a virtual switch for the management port, for example, port 2.. For more information, see Configure virtual switches.
    2. Configure the switch as a Compute virtual switch. You don't need to configure any Kubernetes nodes or service IP addresses.
  2. Create and register an Azure Network Function Manager device resource. After performing steps 1-2, three virtual switches are available: management, LAN, and WAN. On the Azure Stack Edge GPU, LAN is port 5, and WAN is port 6. On Azure Stack Edge Pro 2, LAN is port 3 and WAN is port 4.
  3. Configure the required virtual networks on the LAN and WAN virtual switches. Add a virtual network for the firewall’s untrust1 interface on the LAN virtual switch using a nonzero VLAN ID.
  4. Add another virtual network for the firewall's untrust2 interface on the WAN virtual switch using a nonzero VLAN ID.
  5. Create a User Assigned Managed Identity with permission for Microsoft.HybridNetwork/devices/join/action on your Azure Stack Edge. The Azure Portal user will need either Owner or User Access administrator permissions on the ASE Resource Group to be able to create user assigned managed identity.
  6. Navigate to the Azure Portal Marketplace and select the version for your VM-Series firewall.
  7. In the Azure Portal Marketplace, search for VM-Series Palo Alto.
  8. Select the VM-Series Palo Alto Networks NGFW Edge Azure Application option. Choose eight CPU or the 16 CPU option from the Plan drop-down.
  9. Click Create. When you create the VM-Series firewall, the installation process guides you through the steps to configure basic information, manage details, configure network settings and the firewall. Once you complete these steps, review and create the firewall.
  10. Configure Basic information, including:
    1. Subscription. Select the subscription used for the Azure Stack Edge when it was deployed.
    2. Resource Group. Select a resource group specific to this deployment. If one does not exist, click Create new and use a name similar to ase-vm-series-p5gc.
    3. Region. Refer to the Microsoft Technical Team for the appropriate region.
    4. Select the Azure Network Function Manager device on which the VNF will be deployed.
    5. Application Name. Enter a name for the application.
    6. Managed Resource Group. This resource group retains the resources required by the managed app. Use the default value for this field.
  11. The Azure Portal user needs at least User Access administrator permission on the ASE Resource Group to configure the role assignment.
  12. Create a custom role with permissions for Microsoft.HybridNetwork/devices/join/action, unless one already exists. For more information, see Create or update Azure custom roles using the Azure portal.. Use the information provided in step 1 for the Microsoft.HybridNetwork/devices/join/action; the Clone a role method isn't appropriate in this context.
  13. Configure Managed Identify details. Select a managed identity. If one does not exist, create one using the portal. Ensure the managed identity uses the correct subscription and resource group.
  14. Create a user-assigned managed identity, unless one already exists. For more information, see Create a user-assigned managed identity.
  15. Assign the user-assigned managed identity the custom role from above at the scope of the Azure Stack Edge, or the Resource Group or Subscription containing the Azure Stack Edge. For more information, see User-assigned managed identity.
  16. Continue creating the VM-Series firewall using the wizard. Configure Network settings. Configure the IP addresses of the management, LAN, and WAN interfaces, along with any VLANs used in the deployment.
    The table below shows the interfaces and how they map to the Azure Stack Edge device and Azure Private 5G Core. Use this table to create reference designs for VM-Series deployments on Azure Stack Edge and Azure Private 5G Core.
    Interface Short Name (NFM)Interface Full Name (VM-Series managed app )Interface Name in PanoramaInterface Name mapped with security zone NameAzure Stack Edge Physical portDescription
    mgmtManagement interfaceManagementManagement1,2,3,4This is the firewall’s management Internet Protocol, from which it communicates with Panorama in the cloud.
    mgmt-inspectManagement interface for inspectionEthernet 1/1trust-access1,2,3,4This is the IP address for providing firewall functionality to the OAM network.
    lan1First LAN InterfaceEthernet 1/2trust-access5This is used to communicate with the RAN’s N2 interface or N2 and N3 interface.
    lan2Second LAN InterfaceEthernet 1/3untrust-n25This is used to communicate with the RAN’s N2 interface or N2 and N3 interface.
    lan3Third LAN InterfaceEthernet 1/4untrust-n35This can be used to communicate with the RAN’s N3 interface independently.
    wan1First WAN InterfaceEthernet 1/5trust-core6This is used to communicate with the Azure Private 5G Core N6 interface.
    wan2Second WAN InterfaceEthernet 1/6untrust-mgmt6This is used to communicate with the internet on behalf of the OAM network.
    wan33rd WAN InterfaceEthernet 1/7untrust-n66This is used to communicate with the internet or other data networks on behalf of the UEs.
  17. Complete the VM-Series configuration:
    1. Enter the VM name representing the VM-Series firewall. Use a meaningful description.
    2. Enter Custom Data. This important information is used for cloud-init parameters. It provides the VM-Series firewall with licensing information and the IP address of the Panorama server used for communication.
    Within the init-cfg.txt file, the Custom data format resembles the following (replace bold text with appropriate values):
    type=dhcp-client; hostname=panfw001; tplname=ngfw-stack; dgname=ngfw-device; op-command-modes=jumbo-frame; tplname=ngfw-stack; dgname=ngfw-device; op-command-modes=jumbo-frame;panorama-server=1.2.3.4; vm-auth-key=123456789123456; authcodes= panorama-server=1.2.3.4; vm-auth-key=123456789123456; authcodes=D1234567; timezone=UTC+3
    Use the vm-auth-key generated on Panorama using the command request bootstrap vm-auth-key generate lifetime 24. Use a timezone with a UTC offset value that reflects the location of the Azure Stack Edge box. You can also check the Azure Stack Edge box local time and ensure the same is reflected in UTC offset format within the custom data.
  18. Review and create the VM-Series firewall. Verify that all the settings are correct, then deploy the VM-Series firewall.
  19. After deploying the firewall on the Azure Stack Edge device verify its connection to Panorama. Check the status using the CLI of the VM-Series NGFW:
    admin@pa-azr-ase> show panorama-status
    Panorama Server 1 : <panorama ip> Connected : yes