Will Azure PaaS Services work if traffic is routed through Palo Alto Firewalls from Azure?

Pallab Chakraborty 401 Reputation points
2020-01-30T15:20:43.693+00:00

My customer is planning to implement two sets of firewalls , total 4 VMs of Palo Alto NVA
These 2 sets of NVAs of Palo Alto would be present in the Hub VNET in two different subnets.
There are like 2 spoke VNETS that has VNET peering with the Hub and traffic is routed via the Hub, means transitive peering is enabled via Hub to the On Prem via Express Route.
They will also use few PaaS Services like Web Apps and SQL PaaS etc.
So my question is , is it mandatory to enable outbound Internet from Azure for these PaaS Services to work properly ?
What if UDRs are created in the NVA and no egress internet traffic is allowed from Azure directly for example and everything has to be inspected by the Palo Alto NVA and then to the On Prem firewall and then outbound to Internet, will that break Azure PaaS Services and create a problem for their effective functioning ?
Security team doesn't want any outbound Internet Traffic directly from Azure without being inspected by Azure Palo Alto NVA and On Prem Firewall.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
523 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,174 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Abdul Waheed 1 Reputation point
    2021-06-04T16:02:38.653+00:00

    Hi,

    Yes, you can route PaaS traffic through the Palo Alto firewall.

    I believe you will have to follow these steps.
    1- Integrate App with regional VNET integrations.
    2- configure routing table to route traffic through the trust interface of Palo Alto Firewall.
    3- set up IPsec VPN with on-prem firewall using local network gateway and virtual network gateway.
    4- enable routing in local network gateway.
    5- configure vnet subnet as a point-to-site address in the virtual network gateway

    0 comments No comments