| Azure NIC order | PAN-OS name (CLI / GUI) | Typical purpose | Notes |
|---|---|---|---|
| NIC0 | Management – eth0 / mgmt | Out-of-band management (HTTPS, SSH, Panorama, HA1 if you want) | Lives in its own management subnet; the marketplace template always assigns a private IP and (optionally) a public IP. |
| NIC1 | Dataplane – ethernet1/1 | Untrust / Internet-facing | First dataplane port; the template wires it to an untrust subnet and can attach a public IP. |
| NIC2 | Dataplane – ethernet1/2 | Trust / internal side | Second dataplane port; the template puts it in a trust subnet. |
| NIC3, NIC4 … | ethernet1/3, ethernet1/4, … | Extra zones (DMZ, HA2, etc.) | Added in ascending order. For HA you normally use ethernet1/3 as HA2. |
The marketplace template deploys three NICs by default (mgmt, untrust, trust).
For HA you attach a fourth NIC (which becomes ethernet1/3) while the VM is powered off.
Azure numbers NICs sequentially (0, 1, 2 …) and PAN-OS picks them up in that exact order. Adding a new NIC later: stop the VM → attach NIC → start the VM.
Each NIC must be in its own subnet. Azure won’t allow two NICs from the same VM in the same subnet; plan separate management, untrust, trust, dmz (or ha) subnets.
Management-interface swap is optional. If you need the first dataplane port to act as management (e.g., behind a Gateway Load Balancer), enable the swap feature (see below).
VM size limits NIC count. Common sizes (D-series, F-series) allow up to 4 NICs; certain families (e.g., Dsv5) allow up to 8. Plan for DMZ and HA links accordingly.
set system setting mgmt-interface-swap enable yes request restart system
show interface all show interface management
The MAC addresses shown match the NIC blades in the Azure portal.
Deploy the marketplace solution (or ARM/Bicep/Terraform) and point the three default NICs at your management, untrust, and trust subnets.
Power off the VM → add extra NIC(s) for HA2 or DMZ → power on the VM.
In PAN-OS → Network → Interfaces, set:
ethernet1/1 → untrust zone (public IP optional)
ethernet1/2 → trust zone
ethernet1/3 (if present) → HA2 or DMZ as needed
Create UDRs (user-defined routes) in every spoke subnet so the next hop is the private IP of the relevant firewall interface instead of Azure’s default system route.
Commit and verify with a ping or security-policy test.
Once you remember the mapping NIC0 → mgmt, NIC1 → ethernet1/1, NIC2 → ethernet1/2, everything else falls neatly into place.
This guide explains how to configure Azure network interfaces for Palo Alto Networks VM-Series firewall using the Azure CLI and Palo Alto CLI.
To create a network interface in a specific resource group and attach it to a virtual network (VNet): ```bash az network nic create \