Multiple VNET traffic to Virtual Palo Alto

Gauravdeep Singh 0 Reputation points
2023-11-29T14:27:01.1066667+00:00

Hello team,

I have a design question. I've created multiple VNETs ( for DMZ and LAN environment ) in Microsoft Azure and set up IPSEC tunnel to remote site on Azure so that traffic can travserve and is working right now.

However, I did setup virtual Palo Alto in Azure and traffic from Multiple VNETs need to redirect to Palo Alto VM instead of Azure IPSEC.

We have 6 VNETs and Virtual Palo Alto has trusted and untrusted interfaces with default IP assignment.

  1. Please advise How can I traverse traffic from these VNETs to Palo Alto.
  2. Also, please advise do I need to create 6 IPSEC tunnels ( one of each VNET ) in Palo Alto to remote location ?

Thank you in advance

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,281 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Joe Carlyle 661 Reputation points MVP
    2023-11-29T16:09:19.0066667+00:00

    1- You can use Route Tables or Route Server to direct traffic to Palo Alto, for example a route of 0.0.0.0/0 to next hop of your trusted interface IP. In advance, you would need to peer your other vnets to the vnet with the palo.

    2 - I presume this means you want to move from Azure terminating VPN to terminating on the Palo? If so, yes you would need a tunnel per site. However, I wouldn't create a tunnel for each VNET. A hub spoke vnet design is much more efficient - https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli