External Public IPs for Azure vWAN SaaS Solution

Raviraj Velankar 111

Hello Experts,

I have following query,

I have third party (PA FW) deployed in Azure behind Azure external LB. There are couple of Public front-end IPs configured on external LB which is used for incoming internet traffic for web applications. There is destination NAT configured in PA FWs for traffic destined for internal VMs which has web application. However, if there is requirement to migrate it to Azure virtual wan with integrated SaaS solution (PA FW as SaaS) then is it feasible to use same Public IPs (which is currently configured as Front-end IPs on Azure external LB) and whether we can configure more than one Public IP addresses in SaaS based PA FW untrust or external interface. If it is not feasible then what would approach to be taken to migrate those public front-end IPs from Azure external LB to Azure vWAN based SaaS firewall. Thank you.

Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-14T16:00:33.9433333+00:00

Hi @Raviraj Velankar,

We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.

Thanks for your understanding and patience.

Regards,

Sai Prasanna.
Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-15T08:36:46.8466667+00:00
Hi @Anonymous

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

Yes, you can configure more than one Public IP address on the SaaS-based PA FW's external interface, and it depends on the specific PA FW solution and its configuration options.

Create a new instance of the PA FW as a SaaS service in Azure Virtual WAN. Configure the external interface of the PA FW with the desired public IP addresses. Ensure that the public IP addresses are correctly routed to the PA FW instance.

You cannot directly reuse the same public front-end IPs that are configured on the Azure external Load Balancer for your SaaS-based Palo Alto Firewall.

If you're unable to use the same Public IPs on the SaaS-based PA FW, you'll need to migrate the public front-end IPs from the Azure external LB to the Azure vWAN-based SaaS firewall.

Please check the below steps to achieve this:

Create a new instance in PA FW and configure the external interface with new public ip address.

Update the DNS records to point towards new public ip address.

Configure the Azure Virtual WAN to route the traffic from internet to PA FW.

Test the traffic flow from the internet to the internal VM's through the PA FW. For your reference: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-palo-alto-cloud-ngfw#internet-ingress-dnat

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai Prasanna.
Raviraj Velankar 111 Reputation points

2024-10-15T11:48:11.8+00:00
Hi @Sai Prasanna Sinde (Quadrant Resource LLC)

Thank you for response. I did not get about these two points

You cannot directly reuse the same public front-end IPs that are configured on the Azure external Load Balancer for your SaaS-based Palo Alto Firewall.

If you're unable to use the same Public IPs on the SaaS-based PA FW, you'll need to migrate the public front-end IPs from the Azure external LB to the Azure vWAN-based SaaS firewall.

My query is whether it is feasible to dis-associate Public IPs from Azure ext LB, move it to Subscription where Azure virtual WAN & SaaS firewall is present and can use same Public IPs in new DNAT rules in SaaS firewall so that we can avoid other config changes such as new Public IP creation, Public DNS change or above steps are not feasible.
Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-18T00:49:48.7666667+00:00

Hi @Raviraj Velankar,

Greetings!

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

We are pleased to help you.

Thanks,

Sai prasanna.
Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-21T02:03:27.0433333+00:00

Hi @Raviraj Velankar,

Hope you are having a great day.

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

Looking forward to your response and appreciate your time on this.

Thanks,

Sai Prasanna.

1 answer

Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-16T09:56:19.9833333+00:00
Hi @Raviraj Velankar,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

We understand that you want to know whether it is feasible to dis-associate Public IPs from Azure External Load balancer and move it to Subscription where Azure virtual WAN & SaaS firewall is present and can use same Public IPs in new DNAT rules in SaaS firewall.

It is possible to disassociate the public ip from the azure external load balancer and you can move them to a subscription where azure vWAN and Firewall present.

When you disassociate a public ip from an azure external load balancer, it will become available for use the other resources. You can associate this public ip to your firewall in vWAN.

Disassociate the public IP from external load balancer:

Go to azure portal and search for load balancer > Frontend IP configuration > Public IP > Disassociate.

If that doesn't work: Go to load balancer > Frontend IP configuration > Select the public ip > Choose the IP type as IP prefix and create a new IP prefix and save it.

Search for Public IP address and select the one you want to disassociate and disassociate the ip from load balancer.

Associate the Public IP with Firewall in Azure vWAN:

Go to > Firewall > Public IP configuration > Click on add a public ip configuration and associate the disassociated public ip of external load balancer.

Go to rules and create a DNAT rule by using the new associated public ip.

Note

You can't update the IP address if the firewall's existing IP has any DNAT rule associated with it.

Make sure you do not have any DNAT rules or delete them and then recreate them once you updated the IP Addresses.

Kindly let us know if the above helps or you need further assistance on this issue.

If this answers your query, please do click **Accept Answer** and **Yes** for was this answer helpful so that other community members can find the right answers.

Thanks,

Sai Prasanna.
Please sign in to rate this answer.

1 person found this answer helpful.
Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-22T01:21:52.7333333+00:00

Hi @Raviraj Velankar,

Hope you are having a great day.

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

Looking forward to your response and appreciate your time on this.

Regards,

Sai Prasanna.

Sai Prasanna Sinde (Quadrant Resource LLC) 925 Reputation points Microsoft Vendor

2024-10-23T01:42:34.7066667+00:00

Hi @Raviraj Velankar,

Greetings!

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

If you feel that your queries have been resolved, please accept the answer by clicking the "Upvote" and "Accept Answer" on the post.

Your contribution is highly appreciated.

Regards,

Sai Prasanna.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

External Public IPs for Azure vWAN SaaS Solution

1 answer

Your answer