Multinode High Availability in Azure Cloud

A resource group is a logical container for resources deployed in Azure. It helps you manage and organize related resources. The vSRX VM is a resource within an Azure resource group. All components related to the vSRX (such as virtual network, storage account, public IP, and so on.) are part of the same resource group.

1. Sign into the Azure portal.
2. Search for Resource group and create a new one.
3. Choose a name, enter subscription, and select region for the resource group. In this example, create a resource group azure-vsrx3.0.
4. Click Review + create and then Create. For details,

   See Create a Resource Group for details.

This procedure grants a user or user group the necessary permissions to manage (deploy, configure, monitor, and delete) the vSRX virtual machines and associated network resources within the dedicated resource group.

When deploying vSRX Virtual Firewalls in Azure, IAM roles are also assigned to the managed entity (the vSRX VM or its associated resources). This procedure is covered later in this procedure.

Note:

To perform this task, you must have "Owner" privilege.

1. Select the specific resource group (azure-vsrx3.0 in this example).
2. On the Resource Group blade, click Access control (IAM) in the left-side navigation panel.
3. Click the + Add button, then select Add role assignment.
4. Select User, group, or service principal in Members tab and select a role such as Owner, Contributor, or Reader.
5. Click + Select members search for and select user or user group to assign the role to.
6. Configure conditions (Optional).
7. Click Review + assign to finalize the role assignment.
8. Click Save.

A virtual network (VNet) is the foundation for your Azure infrastructure. It allows you to securely connect Azure resources. At a minimum, define:

• A management (fxp0) subnet,
• One or more public subnets for Internet-facing traffic
• A private subnet for internal workloads
• An ICL subnet for inter-node communication in an MNHA setup

1. In the Azure portal, go to the Create a resource section. Locate and select Virtual Networks.

2. Click + Create.
3. In the Basics Tab, enter following details:
   • Subscription: Choose your subscription.
   • Resource Group: Select an existing group (example: azure-vsrx3.0) or create a new one.
   • Name: Enter a name for your VNet (example: mnha-vnet-zone).
   • Region: Choose the region where you want to deploy resources.
4. Click Review + create and then Create.
5. On the Virtual Network page, click Settings > Subnets. The subnets are used to connect the two vSRX Virtual Firewall nodes using a logical connection (like the physical cable connecting ports).

   Table 4 shows a sample configuration used in this example.

   Table 4: Subnet Configuration in Azure Portal

   Function	CIDR	Role
   management-subnet	10.10.0.0/24	Management traffic
   icl-subnet	10.10.1.0/24	RTO, synchronization, and probes- related traffic
   untrust-subnet	10.10.2.0/24	External traffic
   trust-subnet	10.10.3.0/24	Internal traffic

   See Create a Virtual Network for details.

1. In the Azure portal, go to the Create a resource section. Locate and select Network foundation and then go to Public IP address.
2. Click Create to start setting up a new public IP address.
3. In the Basics tab, enter following details:
   • Subscription: Choose your subscription.
   • Resource Group: Select an existing group (azure-vsrx3.0 in this example).
   • Region: Choose the region where you want to deploy resources.
   • Name: Enter a unique name for the public IP resource.
   • IP Version: Select IPv4 or IPv6 based on your requirements.
   • SKU: Choose between Basic and Standard offerings.
   • IP address assignment, Tier, Routing preference: Retain the default options for this example.
4. Once configured, review the settings and then click Create to allocate the public IP address.

Repeat the same steps to create other public IPs. In this example, create vsrx-r0-ip, vsrx-secondary-public-ip, and vsrx-r0b-ip.

1. Navigate to Network foundation > Virtual networks, and select Network security groups.
2. Select Create network security group.
3. Set up your NSG with the following details:
   • Subscription: Choose your subscription.
   • Resource group: Select an existing group (azure-vsrx3.0 in this example).
   • Name: Enter a unique name for the network security group (example: vsrx-r0-nsg).
   • Region: Choose the region where you want to deploy resources.

   Network Security Group gets created. Repeat same procedure to create another network security group (vsrx-r0b-nsg).

4. Go to Settings and define inbound and outbound security rules to control traffic to and from your NIC and VMs in Inbound security rules and Outbound security rules.
   Tip:

   We recommend the following security settings for your NSG configuration:

   • Define appropriate NSG security rules to control traffic flow according to your requirements.
   • Allow only inbound SSH, and optionally HTTPS, depending on how you manage the vSRX instance.
   • Restrict inbound access to your own source IP to prevent potential SSH brute‑force attempts.
   • If using SD Cloud, ensure the vSRX can initiate outbound connections for the following:
     • DNS
     • NTP
     • SSH on port 7804
     • SYSLOG over TLS on port 6514 (target IP depends on your SD Cloud instance)

A storage account provides a unique space to store and access data objects in Azure.

1. In your resource group, click Create (+).
2. Search for "Storage account” and create a new one.
3. Specify the name, deployment model, performance, and other settings.
4. Click Review + create and then Create. See Create a Storage Account for details.

Use the following steps to deploy two vSRX VM instances. You’ll use these two instances to set up Multinode High Availability. For details, see Deploy the vSRX Virtual Firewall Image from Azure Marketplace.

CAUTION:

For this example, the values shown are chosen specifically for this use case. All other settings remain at their defaults. Select the configuration values that best match your network requirements.

1. Search for vSRX in the Azure Marketplace by clicking on Create a resource and search for vSRX Virtual Firewall.
2. Select the vSRX VM image from the Azure Marketplace.
3. Configure deployment settings by providing the following details:

   Basics Tab

   1. Subscription: Choose your subscription.
   2. Resource Group: Select the resource group In this example, use the azure-vsrx3.0 which you created previously.
      Note:

      Deploy both vSRX Virtual Firewall instances in the same resource group. The resource group will hold all the resources associated with the vSRX Virtual Firewalls for this deployment.

   3. Virtual Machine Name: Enter a unique name for your vSRX VM (example: vsrx-r0).
   4. Region: Choose the region where you want to deploy resources.
   5. Image: Select the vSRX Next-generation Firewall image.
   6. Size: Select DS3_v2 Standard as the vSRX Virtual Firewall VM size for this example.
   7. Authentication type: Select the required method of authentication to access the vSRX Virtual Firewall VM: Password or SSH public key.
   8. Public inbound ports: Retain Allow selected ports option.
   9. Select inbound ports: Select SSH 22 for this example.

4. Disks tab

   1. OS disk type: Specify the disk type to use for the vSRX Virtual Firewall VM: SSD or HDD.

5. Networking tab

   1. Virtual Network: Select the virtual network (mnha-vnet-zone for this example).
   2. Subnet: Select the virtual network (management-subnet for this example).
   3. Public IP: Select the public IP (vsrx-r0-ip for this example).
   4. Public inbound ports: Retain Allow selected ports option.
   5. Select inbound ports: Select SSH 22 for this example.

6. Review your settings and click Create.

Azure will start provisioning the vSRX VM based on your configuration. After the vSRX Virtual Firewall VMs are created, the Azure portal dashboard lists the new vSRX Virtual Firewall VMs under Resource Groups.

Note:

Remember to customize these steps based on your specific requirements and network design.

Deploy and configure another vSRX instance VM (vsrx-r0b) using the same steps as mentioned in this procedure.

Managed identities are created and linked to the resource group. These identities allow VMs to securely interact with Azure services without managing credentials.

The person who deploys the vSRX3.0 VM in Azure must have IAM (Identity and Access Management) permissions to create a user-assigned managed identity and attach it to the VM. This managed identity acts like a service principal, allowing the VM to authenticate and call Azure services without storing credentials.

Plan the network interface configuration on the vSRX Series firewalls on Azure. You can create interfaces before or after VM deployment:

• Before VM Deployment: Pre-create interfaces and assign them during VM setup.
• After VM Deployment: Attach additional interfaces to existing VMs as needed. This operation is supported only when the VM is powered off; adding interfaces while the VM is running is not possible.

In the following procedure, we create new interfaces and later attach them to VMs and assign IP addresses.

1. Navigate to Network interfaces in the Azure portal under the Networking section.
2. Click on Create network interface.
3. Enter the following details for the new network interface:
   • Name: Provide a unique name for your interface.
   • Region: Select the same region as your VNet, VMs, and IP addresses.
   • Virtual network: Choose the virtual network that you want your NIC to be associated with (mnha-vnet-zone for this example).
   • Subnet: Select the appropriate subnet. The subnets you created earlier will be available in the drop-down.
   • IP Version: Select IPv4 for this example.
   • Private IP address assignment: Select Static for this example.
4. Attach the public IP address you created earlier, if required.
5. Choose to create a new network security group or associate with an existing one.
6. Review the settings and click Create to provision the new interface.

1. In the VM's left-side menu click Networking > Network Settings.
2. Locate the attached network interface.
3. Click the network interface name to open its details in IP configuration page. In the IP configurations section, you’ll find the assigned IP address (if any), and you can also configure IP address.
   1. Check or uncheck Enable IP forwarding. Always enable IP forwarding on the control link interface. Make sure that default routes are configured on both the trust and untrust sides. Enable IP forwarding on revenue interfaces if required by your traffic topology. When in doubt, enable it to ensure proper traffic flow.
   2. Click +Add to add new IP configuration and enter the following details:

      • Name: Enter a name of the IP configuration (Example ipconfig or ipconfig1.

      • IP version: Select IPv4 or IPv6

      • Type: Select Primary or Secondary

      • Private IP Address: Allocation: Select Static or Dynamic. Static IP remains fixed as long as the VM exists and dynamic IP may change after VM reboots or power cycles.

      • Private IP Address: IP Address: Enter the IP address

      • Associate public IP address: Check or uncheck as per requirement. Note that, by default, only private IP addresses can be assigned to interfaces. Public IP addresses must be explicitly configured in the VM’s network interface settings. In this example, you have already created three public IP addresses: vsrx-r0-ip, vsrx-secondary-public-ip, and vsrx-r0b-ip. The actual public IP values (203.0.113.33, 198.51.100.253, and 203.0.113.35) are allocated automatically by Azure when the public IP resource is created. You cannot manually specify this IP; Azure assigns it from its managed address pools..

      Click Save to save your settings.

   Use the same steps to add the secondary IP address and the other required IP addresses on the corresponding interfaces of both VMs. For this example, use IP address configuration as mentioned in the tables: Table 5 and Table 6.

   Note: Only the active node VM (vsrx‑r0) requires a secondary IP address. Do not configure a secondary IP on the standby VM (vsrx‑r0b).

Table 5: Configuration of Interfaces and IP Addresses on vSRX VM Node 1 (vsrx-r0) (Active Node)

Interfaces	Subnet	IP Address	Public IP	IP Forwarding Option	Mapped to Interface(vSRX and Azure)
vsrx-r0213_z1	management-subnet	10.10.0.4	203.0.113.33	NA	fxp0 (eth0)
vsrx-r0-g0	ICL-subnet	10.10.1.4	NA	Enable	ge-0/0/0 (eth1)
vsrx-r0-g1	untrust-subnet	10.10.2.4	NA	Enable	ge-0/0/1 (eth2)
vsrx-r0-g1	untrust-subnet	10.10.2.5	198.51.100.253	Enable	ge-0/0/1 (eth2)
vsrx-r0-g2	trust-subnet	10.10.3.4	NA	Enable	ge-0/0/2 (eth3)
vsrx-r0-g2	trust-subnet	10.10.3.5	NA	Enable	ge-0/0/2(eth3)

Table 6: Configuration of Interfaces and IP Addresses on vSRX VM Node 2 (vsrx-r0b) (Backup Node)

Interfaces	Subnet	IP Address	Public IP	IP Forwarding Option	Mapped to Interface(vSRX and Azure)
vsrx-r0b545_z1	management-subnet	10.10.0.5	203.0.113.35	Enable	fxp0 (eth0)
vsrx-r0b-g0	ICL-subnet	10.10.1.5	NA	Enable	ge-0/0/0 (eth1)
vsrx-r0b-g1	untrust-subnet	10.10.2.6	NA	Enable	ge-0/0/1 (eth2)
vsrx-r0b-g2	trust-subnet	10.10.3.6	NA	Enable	ge-0/0/2(eth3)

See Interface Mapping for vSRX Virtual Firewall on Microsoft Azure for vSRX Virtual Firewall and Microsoft Azure interface names.

Click Settings > Networking to display interfaces, subnet, and IP configurations of your VM.

Network security groups can be applied at subnet level (affects all NICs in that subnet) or interface level. NSGs control traffic by IP, port, and protocol; associating NSGs at the interfaces level applies rules specific to that VM’s interface. The NSG must be in the same region and resource group as the network interface.

Resource tags in Azure are metadata elements consisting of a name and a value pair that you apply to your Azure resources, resource groups, and subscriptions.

To create tags, on your vSRX VM page, select Tags from left-navigation bar.

In this example, you create tags for both VMs to identify the trust and untrust interfaces on two vSRX Virtual Firewall instances. The following tables (Table 7 and Table 8show sample tags used in this example.

Table 7: Interface Tags on vSRXVM-1 (vsrx-r0)

Tag Name	Value
local_trust_interface	vsrx-r0-g2
local_untrust_interface	vsrx-r0-g1
peer_trust_interface	vsrx-r0b-g2
peer_untrust_interface	vsrx-r0b-g1

Table 8: Interface Tags on vSRXVM-2 (vsrx-r0b)

Tag Name	Value
local_trust_interface	vsrx-r0b-g2
local_untrust_interface	vsrx-r0b-g1
peer_trust_interface	vsrx-r0-g2
peer_untrust_interface	vsrx-r0-g1

Note that the tag values shown in the table represent the network interface names. You must use the same tag values in your setup. In MNHA setup on Azure, these tags are used to map each NIC to the corresponding vSRX interface. This mapping must match the real interface names so that the HA process can correctly shift secondary IPs between the appropriate trust and untrust interfaces during failover.

• Node 1

• Node 2

Note:

The secondary IP is owned only by the active node and becomes active on the backup node only during failover.

Note:

For fxp0 interface, management IP address is assigned by Azure and the management IP address is bound to fxp0.0 (unit 0).

CAUTION:

The configuration examples provided in this document allow all host inbound protocols and services for simplicity. In a production deployment, you must restrict inbound access to only the protocols and services required for your environment. For an MNHA setup, this configuration typically includes allowing IKE, BGP, and BFD. Always tailor the security rules to align with your network and security requirements.

• Node 1

• Node 2

• Node 1

• Node 2

• Node 1

• Node 2

• Node 1

• Node 2

CAUTION:

The security policy shown in this example is only for demonstration and testing. You should configure security policies as per your network needs. Ensure that your security policies allow only the applications, users, and devices that you trust.

• Node 1

• Node 2

• Node 1

• Node 2

• Node 1

• Node 2

• Node 1

• Node 2

See Example: Configure Multinode High Availability in a Layer 3 Network for details.