Network prefix /29 does not work with the VM-series from Azure Marketplace
138
Created On 10/27/22 13:54 PM - Last Modified 11/13/25 00:03 AM
Symptom
Subnets with prefix "/29" are not eligible for Untrust and Trust subnets when deploying the VM-Series firewall which is available in Azure Marketplace.
Environment
- VM-Series
- Azure
- 10.1.x
Cause
- The VM-Series Template found on the Azure Marketplace has a restriction for the Trust and Untrust Subnets as there is a minimum address count defined there: "minAddressCount": 4, <<<
Resolution
There are two workaround for this issue:
- Use the custom deployment template from Github: https://github.com/PaloAltoNetworks/azure/tree/master/vmseries-avset
- Deploy the VM Firewall with different subnet mask initially and then shut down the VM and go to the NIC card > IP configuration and change the subnet and IP address.
Steps as example:
A- Create the VNet with /16 and 3 subnets /24 for the initial deployment,
B- Once vm created, shut it down.
C- Go back to VNET >> subnets and create the 3 subnets /29.
D- Change the IP configuration on Firewalls' NICs to these new /29 subnets and power on the VM.
* You can later change the VNET space to "/27" if needed.
A- Create the VNet with /16 and 3 subnets /24 for the initial deployment,
B- Once vm created, shut it down.
C- Go back to VNET >> subnets and create the 3 subnets /29.
D- Change the IP configuration on Firewalls' NICs to these new /29 subnets and power on the VM.
* You can later change the VNET space to "/27" if needed.