topic Re: S2S VPN with Active/Active FW Behind LB in VM-Series in the Public Cloud https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/s2s-vpn-with-active-active-fw-behind-lb/m-p/557958#M1982 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/216194">@catg80</a> ,</P> <P>In my humble opinion what you asking is not possible.</P> <P>- Azure Load Balancer workin on layer4 and support only TCP and UDP transport protocols</P> <P>- IPsec site-to-site VPN usually requries ESP transport protocol, which is not supported by Azure LB</P> <P>- As described in the following link you can use Azure LB for outbound connections, but outbound traffic is not actuall passive through the LB. Traffic is just simply tranlated (NAT) to the public IP assigned to the LB. <A href="https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections" target="_blank">https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections</A></P> <P>&nbsp;</P> <P>I personally don't like running Site-to-Site tunnels on firewall in Azure or AWS.</P> <P>I would preffer to use the cloud native components and establish the tunnel to Azure VPN gateway and if required use routing tables to forward the traffic from/to the tunnel to PAN FW for inspection.</P> <P>&nbsp;</P> <P>You metioned "between our tenancy and another orgs tenancy" - does this means you want to exchange traffic between your Azure&nbsp; enviroment and another Azure environment? If that is correct, I would recommend to use Azure Private Link and Private Endpoints - <A href="https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/private-link" target="_blank">https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/private-link</A> </P> <P>Yuo could still route such traffic over your firewall for inspection, but instead of adding the complexity of maintaining IPsec tunnel, just use the cloud native components to send it to the other organization.</P> <P>&nbsp;</P> Thu, 14 Sep 2023 14:29:33 GMT aleksandar.astardzhiev 2023-09-14T14:29:33Z S2S VPN with Active/Active FW Behind LB https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/s2s-vpn-with-active-active-fw-behind-lb/m-p/557659#M1981 <P>Hey all,</P> <P>we have 2 active palos in azure that are behind a public load balancer.</P> <P>have to create a S2S VPN between our tenancy and another orgs tenancy.</P> <P>has anyone done this before?</P> <P>not sure how can get this to work as traffic going through the load balancer seems to cause issues as its a long running connection.&nbsp;</P> <P>anyone know of any design guides that would discuss scenarios on this?</P> <P>&nbsp;</P> <P>thanks</P> Wed, 13 Sep 2023 05:59:36 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/s2s-vpn-with-active-active-fw-behind-lb/m-p/557659#M1981 catg80 2023-09-13T05:59:36Z Re: S2S VPN with Active/Active FW Behind LB https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/s2s-vpn-with-active-active-fw-behind-lb/m-p/557958#M1982 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/216194">@catg80</a> ,</P> <P>In my humble opinion what you asking is not possible.</P> <P>- Azure Load Balancer workin on layer4 and support only TCP and UDP transport protocols</P> <P>- IPsec site-to-site VPN usually requries ESP transport protocol, which is not supported by Azure LB</P> <P>- As described in the following link you can use Azure LB for outbound connections, but outbound traffic is not actuall passive through the LB. Traffic is just simply tranlated (NAT) to the public IP assigned to the LB. <A href="https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections" target="_blank">https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections</A></P> <P>&nbsp;</P> <P>I personally don't like running Site-to-Site tunnels on firewall in Azure or AWS.</P> <P>I would preffer to use the cloud native components and establish the tunnel to Azure VPN gateway and if required use routing tables to forward the traffic from/to the tunnel to PAN FW for inspection.</P> <P>&nbsp;</P> <P>You metioned "between our tenancy and another orgs tenancy" - does this means you want to exchange traffic between your Azure&nbsp; enviroment and another Azure environment? If that is correct, I would recommend to use Azure Private Link and Private Endpoints - <A href="https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/private-link" target="_blank">https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/private-link</A> </P> <P>Yuo could still route such traffic over your firewall for inspection, but instead of adding the complexity of maintaining IPsec tunnel, just use the cloud native components to send it to the other organization.</P> <P>&nbsp;</P> Thu, 14 Sep 2023 14:29:33 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/s2s-vpn-with-active-active-fw-behind-lb/m-p/557958#M1982 aleksandar.astardzhiev 2023-09-14T14:29:33Z