Share via

Azure vNet, reserved IP range, DHCP, and Palo Alto firewall VM

Joe Grover 566 Reputation points
2024-09-10T15:36:17.5266667+00:00

I'm setting up an Azure vNet for testing. I've created three subnets:

  • Hub subnet (Palo's management and WAN interfaces are here)
  • VM vnet (Test Windows Server VM is here)
  • DMZ vnet (not currently deployed)

My PA-VM firewall has its inside interface in the VM Vnet subnet. I've booted up the test VM and can ping it fine, but I'm running into an issue that I can't seem to figure out.

Let's say the VM Vnet is 10.100.10.0/24. DHCP in this Vnet is handing out 10.100.10.1 as its default gateway, but I can't assign that IP to the inside interface of my firewall as it says .1 falls within the reserved IP range of the 10.100.10.0/24 subnet. From what I've seen, this IP is reserved by Microsoft in the subnet.

If this is the case, what are my options? I've also seen that you can't configure the Azure DHCP options, so if I can't set my own gateway to use, and I can't set my firewall to use the IP that's being handed out for the gateway, what is my solution? Typically I'll reserve the first 10 IPs or so (depending on the network) for server and equipment (if not using a different subnet for DHCP entirely), but I don't see a way of modifying the DHCP info Azure is using in my subnets.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,668 questions
0 comments
Accepted answer
  1. TP 111.1K Reputation points
    2024-09-11T02:24:44.73+00:00

    Hi Joe,

    Let's say the VM Vnet is 10.100.10.0/24. DHCP in this Vnet is handing out 10.100.10.1 as its default gateway, but I can't assign that IP to the inside interface of my firewall as it says .1 falls within the reserved IP range of the 10.100.10.0/24 subnet. From what I've seen, this IP is reserved by Microsoft in the subnet.

    First 4 + last IP address in each subnet are reserved. You cannot change this. Excerpt from Virtual Networks FAQ:

    Are there any restrictions on using IP addresses within these subnets? Yes. Azure reserves the first four addresses and the last address, for a total of five IP addresses within each subnet. For example, the IP address range of 192.168.1.0/24 has the following reserved addresses:

    • 192.168.1.0: Network address.
    • 192.168.1.1: Reserved by Azure for the default gateway.
    • 192.168.1.2, 192.168.1.3: Reserved by Azure to map the Azure DNS IP addresses to the virtual network space.
    • 192.168.1.255: Network broadcast address.

    What you can do in your example is assign your firewall 10.100.10.4 as static in the network interface config, and associate a route table with the subnet so that all traffic will flow to this firewall IP. Please take a look at article below:

    Virtual appliance scenario

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-scenario-udr-gw-nva

    Additionally, below article will be useful as well:

    Virtual network traffic routing

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

    Please review above and then add a comment below if you are unsure about something and/or you are seeing unexpected results, etc., and I'll assist further.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.