Share via

Public IP address upgrade from basic to standard on Azure PA server. If we allowed any-any on nsg will PA firewall controls the traffic?

Mounika b 20 Reputation points
2025-06-27T15:56:33.62+00:00

Upgraded the public ip address from Basic to Standard for the Azure PA server. We have multiple ethernets attached for the server
Ethernet 1 - to access the PA application only, no public IP address attached

Ethernet 2 - Serves for the devices hosted in the azure like AXway, VPN with public IP addresses attached to it. Those IP addresses upgraded to standard and NSG is attached.
Questions:

  1. If we configure any-any rules in both inbound and outbound directions within the NSG, will the PA firewall rules still enforce traffic restrictions? I want to confirm whether NSG rules override or bypass the inspection and control enforced by the PA firewall.
  2. Since the VPN IP is also associated with the same network interface, do we need to replicate all PA firewall rules within the NSG to ensure consistent traffic control and avoid potential bypass scenarios?
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,775 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 123.7K Reputation points MVP Volunteer Moderator
    2025-06-27T16:38:59.2133333+00:00

    Hi @Mounika b ,

    from my understanding and how it works:
    The NSG is a network communication filter "between" the Azure network (vNet, Subnet, Public IP) and the Azure resource (Virtual Machine).

    The NSG is associated directly with the PA server VM?

    regarding 1: With "any-any-allow inbound and outbound security rule" in NSG all traffic from vNet, Subnet, Public IP will be forwarded "unfiltered" to the PA server. The traffic will not filtered be by the NSG but the PA firewall will do the work of filtering the traffic.

    regarding 2: With "any-any-allow inbound and outbound security rule" in NSG there is no need to mirror the rules from PA firewall in the NSG.

    But ;-)
    You have to setup a proper routing for this scenario. All the traffic needs to be routed to the PA firewall, no traffic should bypass the PA server because of routing.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments
  2. hossein jalilian 11,055 Reputation points Volunteer Moderator
    2025-06-27T16:44:59.6933333+00:00

    Thanks for posting your question in the Microsoft Q&A forum

    If you set any-any rules in both inbound and outbound directions in Azure NSG, all traffic is allowed at the network level. However, this does not bypass the Palo Alto (PA) firewall, as long as traffic is properly routed through it.

    • NSG is a basic Layer 4 filter. It allows or blocks traffic based on IP, port, and protocol but does not do deep inspection.
    • Palo Alto Firewall is a next-generation firewall (NGFW) that operates at Layers 3–7. It inspects traffic deeply and enforces its own security policies.
    • If traffic is routed through the PA firewall, it will apply its rules regardless of NSG settings.
    • If traffic bypasses the PA firewall (due to routing issues), NSG rules are the only controls in place.
    • You do not need to duplicate PA firewall rules in the NSG, use NSG for basic access restrictions; rely on the PA firewall for advanced security.
    • Ensure VPN and other traffic is correctly routed through the PA firewall to be inspected.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.