Support for deploying each Azure-hosted Firewall in Active / Passive HA, in a different Availability Zone.

• VM-Series Firewalls with PAN-OS version 9.0+
• Firewalls hosted on Azure and configured in Active / Passive HA via the VM-Series Plugin.

• At the time of this writing (04/14/2023), deploying VM-Series Firewalls in Active / Passive HA on Azure is not supported across multiple availability zones within the same Azure region, or across multiple regions.
• This means that both the Firewalls in the A/P HA pair have to be in the same availability zone.
• A supported alternative is to deploy independent Firewalls in different availability zones behind cloud-native load balancers such as the Azure Application Gateway or the Azure Load Balancer (Palo Alto Networks, Inc., 2023) .
• Please do note that this alternative will not feature session synchronization between the Firewalls (Palo Alto Networks, Inc., 2023).

• This alternative isn’t technically PAN-OS High Availability in the sense that there is PAN-OS-level configuration required and that the Firewalls depend on each other, but is generally acknowledged to be Active / Active High Availability.
• Please do note that you can reach out to your PANW Account Team in order to create a Feature Request to potentially have this implemented as a feature.

References