Hello, I have a palo alto VM series FW in hub network and ARO in spoke network distributed in 3 Azure Availability Zone. How to allow traffic to come from internet to reach through palo alto FW to reach to POD running in the ARO. PODs of same application are distributed across three Availability Zone. plz advice. What forwarding to be done where? What is best approach for return traffic.

@N-Open Thank you for reaching out and apologies for the delayed engagement here. I understand that you have a palo alto VM series FW in hub network and ARO in spoke network distributed in 3 Azure Availability Zone. Each subnet in Azure can be linked to a route table used to define how traffic initiated in that subnet is routed. You can define User Defined routes to direct traffic from the ARO cluster deployed in the spoke network to NVA deployed in your Hub Network. You can define a route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance. This configuration allows the appliance to inspect the traffic and determine whether to forward or drop the traffic. If you intend to create a user-defined route that contains the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first.. You can go through this tutorial to understand how to Route network traffic with a route table . Regarding high availability, of the NVA you can refer to this documentation here which explains the most common options to deploy a set of Network Virtual Appliances (NVAs) for high availability in Azure. Please refer to this documentation if you are using Azure WAN solution. Hope this helps! Please let me know if you have any additional questions. Thank you! Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Palo Alto VM series NGFW and Azure Redhat openshift

Accepted answer

ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee

2023-11-15T02:06:21.08+00:00

@N-Open

Thank you for reaching out and apologies for the delayed engagement here.

I understand that you have a palo alto VM series FW in hub network and ARO in spoke network distributed in 3 Azure Availability Zone.

Each subnet in Azure can be linked to a route table used to define how traffic initiated in that subnet is routed. You can define User Defined routes to direct traffic from the ARO cluster deployed in the spoke network to NVA deployed in your Hub Network. You can define a route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance. This configuration allows the appliance to inspect the traffic and determine whether to forward or drop the traffic. If you intend to create a user-defined route that contains the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first..

You can go through this tutorial to understand how to Route network traffic with a route table.

Regarding high availability, of the NVA you can refer to this documentation here which explains the most common options to deploy a set of Network Virtual Appliances (NVAs) for high availability in Azure.

Please refer to this documentation if you are using Azure WAN solution.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
N-Open 160 Reputation points

2023-11-15T05:46:32.4566667+00:00

a3.jpgDear ChaitanyaNaykodi-MSFT •

Thank you. If I am deploying ARO in two regions and than distributing the applications between the two ARO (global traffic by Frontdoor and WAF). I guess I will need a PA in other region also to control the traffic. Does this archiecture work considering I use the right tool for connectivity for storage?

So I will need a hub and spoke archiecture in both the regions. Both the regions will be protected by PA which will be front end by front door?? correct. Diagram attached

Please advice if I need PA in both the regions to distribute incoming from front door to ARO?

ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee

2023-11-16T02:15:43.4333333+00:00

@N-Open

Thank you for getting back.

Based on your question above.

So I will need a hub and spoke archiecture in both the regions. Both the regions will be protected by PA which will be front end by front door?? correct. Diagram attached Please advice if I need PA in both the regions to distribute incoming from front door to ARO?

Yes, I think this architecture will work and you will have to deploy a PA in both regions to maintain high availability. Just highlighting a few points.

The PA firewall in your set-up should have a public IP address so that is accessible by the Azure Front Door(AFD) when it is added as an origin. Even though the communication between Azure Front Door and PA firewall will happen over Public IP the traffic will remain within the Microsoft Wide Area Network. More information here. Reference Architecture: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/security/hardened-web-app

If you want the communication between AFD and PA firewall to happen via private network (private IP address) then you can add an internal load balancer in your set-up and then use private link between AFD and Internal load balancer to send the traffic via private network. Something similar to as described here. The catch in your case will that as your set-up is multi region you will have to deploy two internal load balancers. Additional reference- https://learn.microsoft.com/en-us/azure/frontdoor/private-link

Depending on your requirement you can use different traffic routing methods in AFD to manipulate the traffic to each origin.

Hope this helps! Please let me know if you have any questions. Thank you!

N-Open 160 Reputation points

2023-11-16T05:08:35.53+00:00

Dear ChaitanyaNaykodi-MSFT •

Thank you for the detailed reply.

Can you help me find how do I keep storage synced between ARO cluster A in region 1 to ARO cluster B in Region 2 for hot/hot application? What disk options I have from Azure

For Synchronouse which is needed for hot/hot requirements I believe the distance requirement is 100 miles. correct??

For hot/warm which only one region is active and traffic goes to one site it will be asynchornosur replication - correct??

ChaitanyaNaykodi-MSFT 23,031 Reputation points Microsoft Employee

2023-11-16T18:55:23.48+00:00

@N-Open

Thank you for getting back. Actually, I do not have expertise in Azure storage. Can you please create a new thread for the questions above? my colleagues will definitely help answer your questions.
Sign in to comment

Palo Alto VM series NGFW and Azure Redhat openshift

1 additional answer