Hi, Thank you for watching, when the video was done there was a Pay-as-you-go license model but it was far from economical, the instance alone was around $2 an hour, which I know doesn't sound much but if you accidentally leave it on (like I did) then it soon mounts up, also all AWS data costs are also not included so you will get charged for ingress / egress as usual, I am not sure if the Pay-as-you-go model is still available or if you now have to purchase credits, if you decide to go the credit route then give me a shout at www.mode44.co.uk and I can work out a price for them, if you pop along to Palo Alto site though I believe they still do a trial VM license that you could possibly use with the BYOL model. Let me know how it goes and if I can help further.
Hello sir! Great video and thank you for putting this out there. I however have a question although as silly as it sounds, how did you get your VM to be a windows VM? I followed the video to the letter but at the end, discovered I could not RDP into it as it's a Linux machine. Lol thanks.
I think I would have just picked a windows box from the Marketplace in Azure, they do have Linux as well but RDP always looks better in a video, however if you just write the rules for SSH and the NAT translation you could get access to the Linux box too.
Hi Mate, Great Stuff and thanks for it. You've configured Hide NAT with the interface external IP. What if we need to configure Hide NAT with the pool of IP addresses as a source... Can you please share your insights on this..
Absolutely you can, instead of Dynamic IP and port, you could use translated address option and add multiple addresses there, as far as I remember the firewall will then round robin the translations between them. Thank you for watching !!
@@mode4480Thanks for the reply. My query is on the underlay or Azure, as Public IP address is created on it. Here, we were using the Interface IP address or private subnet which is tied to the Public IP address of the Un trust interface. If we need to add more IP address as you said from the private subnet, how do we bind that addresses against the Public IP address on Azure..?
I am not sure I understand the question entirely, you want to add more addresses from the private subnet to provide translation to a single Azure public address ? or you have multiple Azure public addresses and wish to add a 1to1 NAT between private and Public ?
@@mode4480 Sorry, if I confused you with my statements. The external or un-trust interface have an IP address (10.1.1.36) which is tied to the public IP (51.140.251.39). I'd like to know, how to avoid NAT/PAT pool exhaustion issue as each IP supports up to 65K max connections... Typically, we add multiple Public IP's in the NAT config for the outbound traffic (Dynamic IP and port) which is perfectly fine for physical/hardware firewalls as you mentioned. Since this is a cloud one, if we add the more private IPs (from the front-end or un-trust subnet) in the NAT policy, how do we tie it to the Public IP of Azure for the NAT translations to happen..?
I see now what you are saying, I am not sure what the mechanism is in Azure to be completely honest, all Palo Alto firewalls support NAT Oversubscription to get around the 65k limit, for instance on a VM with 16 CPU Cores and 56GB RAM (equivalent to a VM-700) the default over subscription is 8x for DIPP (Dynamic IP and port) so in easy maths terms ( I like easy maths ) that would be 520,000 translations, how that is handled through Azure is something I have never had to deal with unfortunately as any Azure deployments have always been multiple firewall instances between two Azure loadbalancers, however I would be shocked if there was not a way of dealing with this fundamental networking issue of port exhaustion in NAT. Sorry I couldn't be more help, if you want to check the stats for any firewall just click the link below and open up the "show more" under the model of firewall NAT limits and Oversubscription are shown there. www.paloaltonetworks.com/products/product-selection#
Amazing. Thanks for this.
Glad you liked it!
Hey! Great video. Can you tell me what's the price I could pay for deployment/hour, GB processed and other costs related?
Hi, Thank you for watching, when the video was done there was a Pay-as-you-go license model but it was far from economical, the instance alone was around $2 an hour, which I know doesn't sound much but if you accidentally leave it on (like I did) then it soon mounts up, also all AWS data costs are also not included so you will get charged for ingress / egress as usual, I am not sure if the Pay-as-you-go model is still available or if you now have to purchase credits, if you decide to go the credit route then give me a shout at www.mode44.co.uk and I can work out a price for them, if you pop along to Palo Alto site though I believe they still do a trial VM license that you could possibly use with the BYOL model.
Let me know how it goes and if I can help further.
Hello sir! Great video and thank you for putting this out there. I however have a question although as silly as it sounds, how did you get your VM to be a windows VM? I followed the video to the letter but at the end, discovered I could not RDP into it as it's a Linux machine. Lol thanks.
I think I would have just picked a windows box from the Marketplace in Azure, they do have Linux as well but RDP always looks better in a video, however if you just write the rules for SSH and the NAT translation you could get access to the Linux box too.
Hi Mate, Great Stuff and thanks for it. You've configured Hide NAT with the interface external IP. What if we need to configure Hide NAT with the pool of IP addresses as a source... Can you please share your insights on this..
Absolutely you can, instead of Dynamic IP and port, you could use translated address option and add multiple addresses there, as far as I remember the firewall will then round robin the translations between them.
Thank you for watching !!
@@mode4480Thanks for the reply. My query is on the underlay or Azure, as Public IP address is created on it. Here, we were using the Interface IP address or private subnet which is tied to the Public IP address of the Un trust interface. If we need to add more IP address as you said from the private subnet, how do we bind that addresses against the Public IP address on Azure..?
I am not sure I understand the question entirely, you want to add more addresses from the private subnet to provide translation to a single Azure public address ? or you have multiple Azure public addresses and wish to add a 1to1 NAT between private and Public ?
@@mode4480 Sorry, if I confused you with my statements.
The external or un-trust interface have an IP address (10.1.1.36) which is tied to the public IP (51.140.251.39). I'd like to know, how to avoid NAT/PAT pool exhaustion issue as each IP supports up to 65K max connections...
Typically, we add multiple Public IP's in the NAT config for the outbound traffic (Dynamic IP and port) which is perfectly fine for physical/hardware firewalls as you mentioned. Since this is a cloud one, if we add the more private IPs (from the front-end or un-trust subnet) in the NAT policy, how do we tie it to the Public IP of Azure for the NAT translations to happen..?
I see now what you are saying, I am not sure what the mechanism is in Azure to be completely honest, all Palo Alto firewalls support NAT Oversubscription to get around the 65k limit, for instance on a VM with 16 CPU Cores and 56GB RAM (equivalent to a VM-700) the default over subscription is 8x for DIPP (Dynamic IP and port) so in easy maths terms ( I like easy maths ) that would be 520,000 translations, how that is handled through Azure is something I have never had to deal with unfortunately as any Azure deployments have always been multiple firewall instances between two Azure loadbalancers, however I would be shocked if there was not a way of dealing with this fundamental networking issue of port exhaustion in NAT.
Sorry I couldn't be more help, if you want to check the stats for any firewall just click the link below and open up the "show more" under the model of firewall NAT limits and Oversubscription are shown there.
www.paloaltonetworks.com/products/product-selection#