===== Palo Alto VM-Series Interface Mapping in Microsoft Azure =====

^ Azure NIC order ^ PAN-OS name (CLI / GUI) ^ Typical purpose ^ Notes ^
| NIC0 | Management – ''eth0'' / ''mgmt'' | Out-of-band management (HTTPS, SSH, Panorama, HA1 if you want) | Lives in its own management subnet; the marketplace template always assigns a private IP and (optionally) a public IP. |
| NIC1 | Dataplane – ''ethernet1/1'' | //Untrust// / Internet-facing | First dataplane port; the template wires it to an untrust subnet and can attach a public IP. |
| NIC2 | Dataplane – ''ethernet1/2'' | //Trust// / internal side | Second dataplane port; the template puts it in a trust subnet. |
| NIC3, NIC4 … | ''ethernet1/3'', ''ethernet1/4'', … | Extra zones (DMZ, HA2, etc.) | Added in ascending order. For HA you normally use ''ethernet1/3'' as HA2. |

==== Key facts to remember ====

The marketplace template deploys three NICs by default (mgmt, untrust, trust).
For HA you attach a fourth NIC (which becomes ''ethernet1/3'') while the VM is powered off.

Azure numbers NICs sequentially (0, 1, 2 …) and PAN-OS picks them up in that exact order.
Adding a new NIC later: stop the VM → attach NIC → start the VM.

Each NIC must be in its own subnet. Azure won’t allow two NICs from the same VM in the same subnet; plan separate management, untrust, trust, dmz (or ha) subnets.

Management-interface swap is optional.
If you need the first dataplane port to act as management (e.g., behind a Gateway Load Balancer), enable the swap feature (see below).

VM size limits NIC count. Common sizes (D-series, F-series) allow up to 4 NICs; certain families (e.g., Dsv5) allow up to 8. Plan for DMZ and HA links accordingly.

==== Management-interface swap (optional) ====
<code bash>
set system setting mgmt-interface-swap enable yes
request restart system
</code>

==== Checking the mapping from the CLI ====
<code bash>
show interface all
show interface management
</code>
The MAC addresses shown match the NIC blades in the Azure portal.

==== Quick configuration workflow ====

Deploy the marketplace solution (or ARM/Bicep/Terraform) and point the three default NICs at your management, untrust, and trust subnets.

Power off the VM → add extra NIC(s) for HA2 or DMZ → power on the VM.

In PAN-OS → Network → Interfaces, set:

''ethernet1/1'' → //untrust// zone (public IP optional)

''ethernet1/2'' → //trust// zone

''ethernet1/3'' (if present) → HA2 or DMZ as needed

Create UDRs (user-defined routes) in every spoke subnet so the next hop is the private IP of the relevant firewall interface instead of Azure’s default system route.

Commit and verify with a ping or security-policy test.

Once you remember the mapping NIC0 → mgmt, NIC1 → ''ethernet1/1'', NIC2 → ''ethernet1/2'', everything else falls neatly into place.



===== Configuring Azure Interfaces for Palo Alto VM-Series Firewall =====

This guide explains how to configure Azure network interfaces for Palo Alto Networks VM-Series firewall using the Azure CLI and Palo Alto CLI.

==== 1. Azure CLI: Configuring Network Interfaces ====

=== 1.1. Create a Network Interface ===
To create a network interface in a specific resource group and attach it to a virtual network (VNet):
```bash
az network nic create \
    --resource-group <ResourceGroupName> \
    --name <NICName> \
    --vnet-name <VNetName> \
    --subnet <SubnetName>