Will Azure PaaS Services work if traffic is routed through Palo Alto Firewalls from Azure?

Question

My customer is planning to implement two sets of firewalls , total 4 VMs of Palo Alto NVA
These 2 sets of NVAs of Palo Alto would be present in the Hub VNET in two different subnets.
There are like 2 spoke VNETS that has VNET peering with the Hub and traffic is routed via the Hub, means transitive peering is enabled via Hub to the On Prem via Express Route.
They will also use few PaaS Services like Web Apps and SQL PaaS etc.
So my question is , is it mandatory to enable outbound Internet from Azure for these PaaS Services to work properly ?
What if UDRs are created in the NVA and no egress internet traffic is allowed from Azure directly for example and everything has to be inspected by the Palo Alto NVA and then to the On Prem firewall and then outbound to Internet, will that break Azure PaaS Services and create a problem for their effective functioning ?
Security team doesn't want any outbound Internet Traffic directly from Azure without being inspected by Azure Palo Alto NVA and On Prem Firewall.

Answer 1

Hi,

Yes, you can route PaaS traffic through the Palo Alto firewall.

I believe you will have to follow these steps.
1- Integrate App with regional VNET integrations.
2- configure routing table to route traffic through the trust interface of Palo Alto Firewall.
3- set up IPsec VPN with on-prem firewall using local network gateway and virtual network gateway.
4- enable routing in local network gateway.
5- configure vnet subnet as a point-to-site address in the virtual network gateway