Share via

Need to reroute traffic through Palo Alto deployed in Azure

Anonymous
2023-09-18T00:52:34.2+00:00

We have some Palo Alto firewalls in Azure to extend our security from on-premises into Azure. Need to know how to route the traffic that comes into the gateway subnet through the PA subnets created during deployment.

Would like to know the best practices/recommended way to achieve this from Microsoft to ensure it is supportable with both vendors.

We are not trying to institute forced tunneling, but we want to redirect all traffic through the Palo Alto Firewall appliances we deployed in Azure.  Traffic will still be allowed to egress through the Azure default route, we are looking to be able to inspect the traffic, report on it, and be able to block suspect traffic as needed before it makes into our internal network.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,798 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
    2023-09-18T04:48:10.2733333+00:00

    @Anonymous

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to use an NVA for inspecting traffic that leaves Azure VNET and enters Azure VNET via Azure VPN Gateway.

    Consider a testVM in Azure which should send traffic to the NVA before reaching the VPN Gateway

    • testVM - defaultSubnet
    • NVA - nvaSubnet
    • Azure VPN Gateway - GatewaySubnet
    • OnPrem Range - 10.10.0.0/16
    • Azure VNET Range - 10.20.0.0/16

    A. Azure to OnPrem

    • Create a route table "toOnPREM" and attach it to the defaultSubnet
    • Add a route to the OnPREM Range "10.10.0.0/16" and set the next Hop as NVA with NVA's private IP
    • Do not add any route table to the "nvaSubnet"
    • The default system routes/BGP routes learned from VPN Gateway will forward the traffic from NVA to the VPN Gateway and your OnPremises.
    • NOTE : If your OnPREM is advertising ranges such as "10.10.1.0/24", "10.10.2.0/24" (i.e., breaking the bigger range into smaller ones), then you must override them accordingly.

    B. OnPrem to Azure

    • In the GatewaySubnet, create and attach a route table "toAzure"
    • Since we cannot add "0.0.0.0/0", you can add the Azure VNET Range and attach it here.
    • This becomes, "10.20.0.0/16" ----> NVA Private IP
    • This will forward all the traffic to Azure VNET to the NVA
    • Now, the default system routes learned from the VNET will enable the NVA to route traffic to the VMs in Azure.

    Refer : Virtual network traffic routing

    Please let us know if we can be of any further assistance here.

    Thanks,

    Kapil

    Please Accept an answer if correct.

    Original posters help the community find answers faster by identifying the correct answer.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.