https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-deployment-why-snat-is-not-needed-for-e-w-traffic/m-p/1225556#M2348 <P>Ok, maybe I found the answer to this; for E/W you use internal load balancing where you have "HA ports" option in LB rule which enables LB for all traffic and causes internal LB to do load balancing per flow (instead of per packet I guess).</P> <P>&nbsp;</P> <P>High availability ports overview definition by MS:</P> <P>"Azure Standard Load Balancer helps you load-balance<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>protocol flows on<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>ports simultaneously when you're using an internal load balancer via HA Ports.</P> <P>High availability (HA) ports are a type of load balancing rule that provides an easy way to load-balance<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>flows that arrive on<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>ports of an internal standard load balancer. <STRONG>The load-balancing decision is made per flow</STRONG>. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol"</P> <P>&nbsp;</P> Thu, 03 Apr 2025 08:37:43 GMT santonic 2025-04-03T08:37:43Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-deployment-why-snat-is-not-needed-for-e-w-traffic/m-p/1225544#M2347 <P>I've been checking the official Azure deployment guide, section&nbsp;Deploying Outbound and East-West Security.</P> <P><A href="https://www.paloaltonetworks.com/resources/guides/azure-transit-vnet-deployment-guide" target="_blank">https://www.paloaltonetworks.com/resources/guides/azure-transit-vnet-deployment-guide</A></P> <P>&nbsp;</P> <P>What I don't understand why SNAT is not required for E/W traffic while it is required for inbound traffic.</P> <P>&nbsp;</P> <P>What makes LB use the same FW for return traffic in E/W scenario but not for inbound connections?</P> Thu, 03 Apr 2025 06:25:21 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-deployment-why-snat-is-not-needed-for-e-w-traffic/m-p/1225544#M2347 santonic 2025-04-03T06:25:21Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-deployment-why-snat-is-not-needed-for-e-w-traffic/m-p/1225556#M2348 <P>Ok, maybe I found the answer to this; for E/W you use internal load balancing where you have "HA ports" option in LB rule which enables LB for all traffic and causes internal LB to do load balancing per flow (instead of per packet I guess).</P> <P>&nbsp;</P> <P>High availability ports overview definition by MS:</P> <P>"Azure Standard Load Balancer helps you load-balance<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>protocol flows on<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>ports simultaneously when you're using an internal load balancer via HA Ports.</P> <P>High availability (HA) ports are a type of load balancing rule that provides an easy way to load-balance<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>flows that arrive on<SPAN>&nbsp;</SPAN><STRONG>all</STRONG><SPAN>&nbsp;</SPAN>ports of an internal standard load balancer. <STRONG>The load-balancing decision is made per flow</STRONG>. This action is based on the following five-tuple connection: source IP address, source port, destination IP address, destination port, and protocol"</P> <P>&nbsp;</P> Thu, 03 Apr 2025 08:37:43 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-deployment-why-snat-is-not-needed-for-e-w-traffic/m-p/1225556#M2348 santonic 2025-04-03T08:37:43Z