https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-the-return-traffic-for-on-prem-network-through/m-p/359438#M1040 <P>We have 2 Palo alto firewalls in Azure using the so called 'load balancer sandwich.'&nbsp; In addition we have a Microsoft ExpressRoute for connectivity to our on prem network.&nbsp; &nbsp;Currently our Expressroute traffic goes around the Palos but the intent is to have the expressroute traffic also go through the Palos.&nbsp; &nbsp;</P><P>&nbsp;</P><P>So if I create a UDR for one of the Subnets to the internal loadbalancer which then routes to either one of the 2 firewalls, I see the traffic going to our expressRoute on prem network fine.&nbsp; But if I initiate the traffic from our datacenter to Azure, the traffic doesn't go through the firewall.&nbsp; &nbsp;I've read that I need to have a udr on the gateway subnet in Azure pointing to the trust interfaces (or in our case the internal load balancer).&nbsp;&nbsp;</P><P>&nbsp;</P><P>From the Palos point of view the expressroute is on the Untrust.&nbsp; and so when I put a udr on the gateway subnet I'm having the return traffic go to the trust interfaces.&nbsp; I've tried to see if i can force the Palos to route the expressroute traffic through the trust interface by creating static routes to either our internal load balancer or the azure gateway.&nbsp; But each configuration breaks connectivity.&nbsp;</P><P>&nbsp;</P><P>My question is do I need the expressroute traffic to be going out the trust and not the untrust interfaces?&nbsp; &nbsp;I'm a little confused.&nbsp; hope someone can shed some light.&nbsp; thanks so much!</P> Wed, 28 Oct 2020 22:01:10 GMT nleslie1970 2020-10-28T22:01:10Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-the-return-traffic-for-on-prem-network-through/m-p/359438#M1040 <P>We have 2 Palo alto firewalls in Azure using the so called 'load balancer sandwich.'&nbsp; In addition we have a Microsoft ExpressRoute for connectivity to our on prem network.&nbsp; &nbsp;Currently our Expressroute traffic goes around the Palos but the intent is to have the expressroute traffic also go through the Palos.&nbsp; &nbsp;</P><P>&nbsp;</P><P>So if I create a UDR for one of the Subnets to the internal loadbalancer which then routes to either one of the 2 firewalls, I see the traffic going to our expressRoute on prem network fine.&nbsp; But if I initiate the traffic from our datacenter to Azure, the traffic doesn't go through the firewall.&nbsp; &nbsp;I've read that I need to have a udr on the gateway subnet in Azure pointing to the trust interfaces (or in our case the internal load balancer).&nbsp;&nbsp;</P><P>&nbsp;</P><P>From the Palos point of view the expressroute is on the Untrust.&nbsp; and so when I put a udr on the gateway subnet I'm having the return traffic go to the trust interfaces.&nbsp; I've tried to see if i can force the Palos to route the expressroute traffic through the trust interface by creating static routes to either our internal load balancer or the azure gateway.&nbsp; But each configuration breaks connectivity.&nbsp;</P><P>&nbsp;</P><P>My question is do I need the expressroute traffic to be going out the trust and not the untrust interfaces?&nbsp; &nbsp;I'm a little confused.&nbsp; hope someone can shed some light.&nbsp; thanks so much!</P> Wed, 28 Oct 2020 22:01:10 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-the-return-traffic-for-on-prem-network-through/m-p/359438#M1040 nleslie1970 2020-10-28T22:01:10Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-the-return-traffic-for-on-prem-network-through/m-p/359731#M1041 <P>I got it working.&nbsp; I created a static route on my Trust-vr for my On prem network - 10.0.0.0/8 that routes to my load balancer on my trust side.&nbsp; &nbsp;Then on the gateway subnet i created a route for my Azure subnet going to my loadbalancer as well and now traffic from my express route is going through my firewall!</P> Thu, 29 Oct 2020 19:16:13 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/routing-the-return-traffic-for-on-prem-network-through/m-p/359731#M1041 nleslie1970 2020-10-29T19:16:13Z