Using Azure CLI to launch the VM-Series with Availability Zones

The VM-Series in Azure can be launched in multiples ways. In this article we will cover launching the VM-Series into Azure using Azure CLI. If you do not have the Azure CLI installed you can use the Azure Cloud Shell online from the following url


1. Set Azure CLI to ARM Mode
user@Azure:~$ azure config mode arm


2. Create a Resource Group

user@Azure:~$ az group create --name jpazpan1 --location centralus


3. Create a Virtual Network

user@Azure:~$ azure network vnet create --resource-group jpazpan1 --location centralus --name jpazpan1vnet --address-prefixes


4. Create 3 Subnets in the virtual network. The Subnets are for the Mgmt, Untrust and Trust interfaces. 

user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name mgmt --address-prefix
user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name untrust --address-prefix
user@Azure:~$ azure network vnet subnet create --resource-group jpazpan1 --vnet-name jpazpan1vnet --name trust --address-prefix


5. Create a Public IP Address. This will be used for the Management Interface of the VM-Series. 

user@Azure:~$ az network public-ip create  --name mgmtpip --resource-group jpazpan1 --location centralus --dns-name jpmgmtdns --allocation-method Dynamic --zone 2


Notice the --zone flag. This is because the Public IP address used on a VM-Series in an Availability Zone in Azure must have the exact same amount of zones assigned to it. 


6.  Create and Configure Multiple Network Interfaces

user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name mgmtnic1 --subnet-vnet-name jpazpan1vnet --subnet-name mgmt


user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name untrustnic1 --subnet-vnet-name jpazpan1vnet --subnet-name untrust


user@Azure:~$ azure network nic create --resource-group jpazpan1 --location centralus --name trustnic1 --subnet-vnet-name jpazpan1vnet --subnet-name trust 



7. Create Network Security Groups

user@Azure:~$ azure network nsg create --resource-group jpazpan1 --location centralus --name jpmgmtnsg


8. Create Network Security Group Rule. This will be used for inbound management access. 
user@Azure:~$ az network nsg rule create -g jpazpan1 --nsg-name jpmgmtnsg -n mgmtaccess --priority 110 --source-address-prefixes x.x.x.x/x --source-port-ranges '*' --destination-address-prefixes '*' --destination-port-ranges 22 443 --access Allow --protocol Tcp --description "Allow from specific IP address ranges on 22 and 443."


9. Add Network Security Group to MGMT NIC

user@Azure:~$ az network nic update -g jpazpan1 -n mgmtnic1 --network-security-group jpmgmtnsg


10. Attach Public IP to MGMT NIC

user@Azure:~$ az network nic ip-config update -g jpazpan1 --nic-name mgmtnic1 -n default-ip-config --public-ip-address mgmtpip


Note: At this time the VM-Series only supports a mgmt interface with public IP allocation when using availability zones.


11. Create VM-Series and Assign NICs During Deployment

user@Azure:~$ az vm create --resource-group jpazpan1 --name jpvmfw1 --location centralus --nics mgmtnic1 untrustnic1 trustnic1 --size Standard_D3_V2 --image paloaltonetworks:vmseries1:bundle2:8.1.0 --plan-name bundle2 --plan-product vmseries1 --plan-publisher paloaltonetworks --admin-username username --generate-ssh-keys --zone 2


For your SSH key you will see the following output. 

SSH key files '/home/username/.ssh/id_rsa' and '/home/username/.ssh/' have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.


When the launch is successful you will see the following output


"fqdns": "",
"id": "/subscriptions/xxxxxxxx-4d77-4bb7-b1a6-yyyyy82#####/resourceGroups/jpazpan1/providers/Microsoft.Compute/virtualMachines/jpvmfw1",
"location": "centralus",
"macAddress": "00-0D-3A-92-DE-DC,00-0D-3A-93-38-C1,00-0D-3A-93-3C-22",
"powerState": "VM running",
"privateIpAddress": ",,",
"publicIpAddress": "x.x.x.x",
"resourceGroup": "jpazpan1",
"zones": "2"



If you have any issues installing Azure CLI or utilizing your ssh key please see Microsoft Azure documentation as Azure CLI is not supported by Palo Alto Networks Support. 



